My friend Mike Barlow put up a
great post
on LinkedIn this week, which points out a huge irony regarding critical
infrastructure (including most devices that run power substations, gas pipelines,
oil refineries, etc.): While CISA and others are constantly advocating for use
of “memory safe” programming languages for new software and firmware, most legacy
devices (whether or not they’re for critical infrastructure) operate on definitely-non-memory-safe
languages like C and C++.
Mike summarizes this situation quite
succinctly: "…your exercise app is probably more secure than the code
running at your local electric power station." Does that make you feel
safe?
What’s there to be done about this?
I dunno. Replacing all that equipment will be tremendously expensive, although
obviously any replacement efforts should start with the most critical equipment.
Perhaps baby monitors can be left ‘til the end, although I imagine that, being
much newer than for example some electronic relays deployed in power substations,
the baby monitors have much safer code than the relays.
This is a good example of “technical
debt”. We – and probably the rest of the world, except countries with much
newer infrastructure, perhaps due to having just come through a war – have a
lot of such debt to pay. Of course, I doubt there’s a line anywhere in the federal
budget about paying technical debt. As often happens, we’ll wait ‘til things
start breaking down.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment