In this post last Tuesday, I reported on a call I’d received from a friend who works as an engineer at an important supplier of hardware products to the electric power industry. He’d called me after my Monday post made the point that I don’t believe there are true product risks, just vendor risks that apply to products.
My friend brought up a case that his company encountered. To quote my post:
There was a particular piece of third-party software that the supplier (i.e. my friend’s company) provided to their customers to use for collaboration with the supplier (so it wasn’t incorporated into one of their products). There was a vulnerability in this software that might have allowed an insider to gain control and do bad things. Despite this vulnerability, the supplier felt this product was still worth using, and they made a point of telling their customers about the vulnerability and how to mitigate it. Was this a product risk?...
I pointed out the difference between a vulnerability and a risk (in my way of thinking, of course). Software and firmware vulnerabilities occur all the time, but in my opinion they don’t constitute an actual risk unless the supplier a) doesn’t develop a patch in a timely manner, and b) doesn’t inform their customers and work with them to mitigate those vulnerabilities until a patch is developed, which is of course the best mitigation for a vulnerability…
…the risk is that a supplier will distribute third-party software that has an unpatched vulnerability that they know about but can’t patch (in this case, it’s because this software wasn’t part of one of their products – so they have no access to the code to develop a patch. And the third-party supplier wasn’t providing their own patch, for some reason), yet they also don’t inform their customers of the vulnerability, or how to mitigate it. Had this supplier not informed their customers of this vulnerability, it would have posed a serious risk for their customers. But of course this supplier did tell their customers and did suggest mitigating steps they could take… this supplier mitigated the risk as they should have done.
The next day, I got an email from Kevin Perry, bringing up an example he thought was a product risk:
…you cite the supplier as a risk because it knew there was a vulnerability and chose to tell their customers. The key part being the supplier knew about the vulnerability. Whether it chooses to inform simply defines the risk. But what if it is a zero-day vulnerability, either as a result of an unknown software vulnerability or a hardware issue? No one knows the vulnerability exists until one day you get taken down. Does that change anything? I look at this with the side channel vulnerability that exists in almost all modern computer processors. Yes, the feature was designed into the CPU for processor speed. The unintended consequence is that a well crafted exploit can take advantage of the feature to cause an exception and access the contents of the memory look-ahead cache before the exception handler clears the cache. It is possible to read memory outside of your process boundaries. Is this a supplier risk because you bought your computer from Dell or HP and it came with an Intel or AMD processor? Is it Intel’s or AMD’s “supplier” risk? Or is it truly a product risk.
Yes, once identified, there have been work-arounds developed. And as soon as a work-around is developed, a new exploit path is found. In the end, only a complete redesign of the CPU and replacement of any computer containing the old processors will resolve the issue. I am having problems characterizing this as a supplier risk. In my mind, a mitigation of a supplier risk could be to change suppliers. In this instance, there is no supplier that does not have the vulnerability in their processor’s module
In other words, Kevin is pointing to an unpatched (and unpatchable, in this case) vulnerability in a processor as an example of a true product vulnerability. My reply was:
It seems you're actually addressing three separate potential risks. The first is the risk that the supplier will know of an unpatched vulnerability but won't tell you about it. That's what I discussed in the post, and I think you agree with me that this supplier mitigated that risk by telling their users about the vulnerability. But not all suppliers can be counted on to do this! That's why CIP-013 R1.2.4 is there.
The second risk is that there will be a true zero-day hardware or software vulnerability in the product. Of course, the supplier can't tell you about this because they don't know about it either. But I don't call this a risk. Literally every digital hardware or software product in the world could have an unknown vulnerability in it. The only thing a supplier can do is be as vigilant as possible in looking for vulnerabilities (but even if they find a true zero-day vulnerability in their product, they will then know about it and it won't be zero-day any more. So risk no. 1 applies). And the user can be as vigilant as possible in testing the product, etc.
The third potential risk is that a hardware or software supplier will have a vulnerability in their product, which they can't fix at all - absent a complete redesign, as in the case of the Intel/AMD side channel vulnerability. This seems to me to be just another example of risk 1. The supplier can't patch the vulnerability, but they can at least tell you about it and let you decide whether or not you want to continue using the product. Of course, AMD and Intel have been quite open about this vulnerability, so I'd say they've mitigated the risk, just like the supplier in yesterday's post mitigated the risk by telling their customers about it. The customers then have the choice of either accepting the residual risk or not using the product at all (I'm assuming here that there's no good software mitigation or workaround for this vulnerability). In the case of the supplier in my post, it would be fairly easy not to use the vulnerable software, since it isn't required for the operation of the product itself. In the case of Intel/AMD, it would be very hard to simply move away from that architecture, so my guess is almost all users have formally or informally accepted this risk
At that point, our discussion split into three separate threads, but at least two of them led to the same conclusion as the thread below. Kevin defended the idea that the processor vulnerability actually is a product risk by saying:
Any time I acquire hardware or software, there is a risk that (1) the purchase will not perform as expected or intended, (2) I will not get exactly what I thought I was (product substitution), or (3) there will be failure points or vulnerabilities that I need to address in order to protect my networking and computing environment. Just because I do not know that a specific vulnerability exists at the time I purchase the product does not mean that risk is absent and that I need to do nothing. Depending on what the product does and where it is placed in my network will drive the risks that I need to mitigate to the extent possible.
This is an installation risk, which is an entity risk. You need to make sure you take into account the risks that apply to the environment in which the product is being installed and apply controls that are appropriate in that environment. The risk is mitigated by training, mentoring, etc. Of course, installation risks are specifically addressed in CIP 13 R1.1.
So I continue to believe: There are no product risks, just supplier risks and entity risks. In my first post, I just said there were supplier risks, but there’s actually another type of supply chain risk – risks posed by your own organization. I didn’t bring entity risks up earlier because I didn’t think they were relevant to this product risk discussion. But the next day (last Wednesday), another friend wrote in, and that led me to realize that entity risks might masquerade as product risks also. I discussed that in this post.
Do I think this is the end of the discussion? Not by a long shot.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at email@example.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!