I’m fortunate to have friends who read my
posts and immediately point out where I’ve gone wrong. I certainly welcome this, since I’ve had my
share of being wrong and I don’t like these things to stand uncorrected
(although I do always leave the original post as is, and simply post the
correction. The alternative approach –
simply wiping away any traces of ever being wrong – reminds me of the Winston Smith's job as the novel 1984 opens: It is to excise all references in the
newspaper archives to political figures who have been liquidated due to running
afoul of Big Brother. They have become “unpersons”,
one of the many chilling words the regime has invented to give a feeling of
legitimacy and normalcy to its dirty work.
Of course, we all know the truth is sacrosanct to our governments
nowadays, so this doesn’t happen in real life - oh wait, there's something coming on the TV about a new Senate report...).
Steve Parker of EnergySec pointed out that
the central assertion of this
recent post on serial is simply wrong.
The post was discussing devices (like relays) that are connected using a
serial protocol like Modbus to an intermediate device like an RTU in a
substation; this intermediate device is then connected routably to the outside world. The question was whether the relays have
External Routable Connectivity (ERC), or just the intermediate device does.
I had pointed out in the previous post
that an entity asserting no ERC in a case like this might have to demonstrate
that there weren’t documented ways that an attack could be mounted on the
relay, running through the RTU. That had
resulted in someone writing in to tell me of vulnerabilities that allowed
exactly that sort of attack to come through a particular manufacturer’s RTU.[i] I stated that the availability of this attack
vector probably meant that the relay should be considered as participating in
ERC.
However, Steve set me straight. He said, “That is not a relevant
argument. If we go down the road of device A being hacked exposing device B,
the whole model blows up since anything and everything can potentially be
hacked to provide access to something else. The evaluation (Tom’s note: He means the evaluation of whether the relay has ERC or
not) is based on the potential impact of individual devices/systems being
misused. Such impact cannot depend on the misuse of additional devices. In
other words, the impact cannot be transitive or cumulative.”
And now that
I think about it, he’s definitely right.
I should never have suggested that the fact that one device can be
attacked through another makes the former subject to the same vulnerabilities
as the latter. If this were the case,
then every computer in the world would have to be considered just as vulnerable
as the least-protected computer sitting on the Internet. And that’s not right, IS IT?
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
I immediately notified the manufacturer of the vulnerability, through another
organization that I knew had a close relationship with them.
No comments:
Post a Comment