If your site runs Siemens equipment — SIMATIC PLCs, SINEMA network management, SCALANCE switches, or any of the broader portfolio — you have two options for tracking vulnerabilities: monitor Siemens ProductCERT directly, or wait for CISA to republish the advisory.
The difference matters, and it's not just about timing.
What Is Siemens ProductCERT?
Siemens ProductCERT (Product Computer Emergency Readiness Team) is Siemens' internal security advisory team. They publish security advisories for Siemens OT and industrial products through Siemens' security advisory portal, typically coordinated with CISA under standard responsible disclosure practices.
Advisories are published in Siemens' own format — SSA (Siemens Security Advisory) and SSB (Siemens Security Bulletin) — and contain Siemens-specific information including exact affected product version ranges, firmware download links, and Siemens-specific mitigations.
What Is CISA ICS-CERT?
CISA's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) republishes ICS security advisories from multiple vendors in a standardised format called CSAF (Common Security Advisory Framework). When a Siemens advisory is significant enough, CISA will pick it up and republish it as an ICSA-prefixed advisory.
CISA's CSAF feed is machine-readable and structured, making it easy to parse programmatically. It covers 200+ ICS vendors, not just Siemens.
The Timing Difference
Siemens ProductCERT advisories are typically published on the same day as coordinated disclosure — usually the second Tuesday of each month (Siemens' equivalent of Patch Tuesday). CISA's republication can lag by a day or up to a week, depending on how quickly their team processes the advisory.
For a CVSS 9.8 remote code execution vulnerability in a widely-deployed PLC, that lag matters. The vulnerability is known to the researcher who reported it and to Siemens' internal teams before it's public. Once it's published, the window between disclosure and exploitation in targeted attacks can be measured in days.
Getting the Siemens advisory on Tuesday rather than the following week is a meaningful operational difference.
What Each Feed Contains
| | Siemens ProductCERT | CISA ICS-CERT |
|---|---|---|
| Format | SSA/SSB PDF + CSAF JSON | CSAF JSON |
| Timing | Day of disclosure | Day of or up to 1 week later |
| Products covered | Siemens only | 200+ ICS vendors |
| Siemens-specific details | Full (firmware links, specific model variants) | Standardised subset |
| Machine-readable | Yes (CSAF) | Yes (CSAF) |
| KEV cross-reference | No | Yes (CISA maintains KEV) |
The practical answer for teams running Siemens equipment is: you want both. Siemens ProductCERT gives you early notice and deeper product-specific detail. CISA gives you the KEV match (confirming whether the vulnerability is being actively exploited) and covers your non-Siemens equipment.
How OTWarden Handles This
OTWarden monitors both feeds. We pull from the CISA CSAF repository for all advisories, and we have a separate Siemens ProductCERT feed that runs on its own schedule — fetching SSA/SSB advisories directly from Siemens before they appear in CISA.
When a new Siemens advisory is published, subscribers with Siemens on their watchlist receive an alert from our Siemens-native feed first, typically ahead of the CISA republication. When CISA publishes the corresponding ICSA advisory with KEV enrichment data, we update the record accordingly.
For sites with significant Siemens deployments, this means no gap between Siemens publishing and you knowing about it.
You can add Siemens — or any of the 200+ other ICS vendors we track — to your watchlist after starting a free trial at otwarden.com.