Today, (1 day before the 2nd Tuesday tranche of Siemens advisories) Siemens published an advisory discussing the Log4Shell vulnerability in their products. Siemens has provided a preliminary list of affected products. They have fixed their cloud-based products (okay, this may be an argument for having cloud based control systems) and have provided updates for some of the affected products. They have also provided workarounds to mitigate the vulnerabilities.
It is disappointing the NCCIC-ICS has not yet published an advisory for this vulnerability, but they may have been waiting for an advisory like this from Siemens that provides actual mitigation measures (the SonicWall and VMware advisories were of the “we are looking at it” type with no mitigation measures). It will be interesting to see how NCCIC-ICS deals with this tomorrow.