Tuesday, December 9, 2014

Steve Parker Corrects Me

I’m fortunate to have friends who read my posts and immediately point out where I’ve gone wrong.  I certainly welcome this, since I’ve had my share of being wrong and I don’t like these things to stand uncorrected (although I do always leave the original post as is, and simply post the correction.  The alternative approach – simply wiping away any traces of ever being wrong – reminds me of the Winston Smith's job as the novel 1984 opens: It is to excise all references in the newspaper archives to political figures who have been liquidated due to running afoul of Big Brother.  They have become “unpersons”, one of the many chilling words the regime has invented to give a feeling of legitimacy and normalcy to its dirty work.  Of course, we all know the truth is sacrosanct to our governments nowadays, so this doesn’t happen in real life - oh wait, there's something coming on the TV about a new Senate report...).

Steve Parker of EnergySec pointed out that the central assertion of this recent post on serial is simply wrong.  The post was discussing devices (like relays) that are connected using a serial protocol like Modbus to an intermediate device like an RTU in a substation; this intermediate device is then connected routably to the outside world.  The question was whether the relays have External Routable Connectivity (ERC), or just the intermediate device does.

I had pointed out in the previous post that an entity asserting no ERC in a case like this might have to demonstrate that there weren’t documented ways that an attack could be mounted on the relay, running through the RTU.  That had resulted in someone writing in to tell me of vulnerabilities that allowed exactly that sort of attack to come through a particular manufacturer’s RTU.[i]  I stated that the availability of this attack vector probably meant that the relay should be considered as participating in ERC.

However, Steve set me straight.  He said, “That is not a relevant argument. If we go down the road of device A being hacked exposing device B, the whole model blows up since anything and everything can potentially be hacked to provide access to something else. The evaluation (Tom’s note: He means the evaluation of whether the relay has ERC or not) is based on the potential impact of individual devices/systems being misused. Such impact cannot depend on the misuse of additional devices. In other words, the impact cannot be transitive or cumulative.”

And now that I think about it, he’s definitely right.  I should never have suggested that the fact that one device can be attacked through another makes the former subject to the same vulnerabilities as the latter.  If this were the case, then every computer in the world would have to be considered just as vulnerable as the least-protected computer sitting on the Internet.  And that’s not right, IS IT?

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] I immediately notified the manufacturer of the vulnerability, through another organization that I knew had a close relationship with them.

No comments:

Post a Comment