Wednesday, June 26, 2019

Kevin Perry goes further



In yesterday’s post, I pointed out comments that Brandon Workentin of Forescout Technologies had made about an earlier post that made the distinction between vendors and suppliers - and that distinction had been brought up to me by John Work of the Western Area Power Administration. Do you get the feeling that in this blog I’m gathering fame and vast fortune just by exploiting the ideas of others?

If you’re not sure about the answer to that question, let me point out that this post simply repeats verbatim an email that Kevin Perry, former chief auditor of SPP Regional Entity but now “retired”, sent me today. Brandon had pointed in a different direction than I’d pointed in the first post, and now Kevin goes further in that direction. I won’t spell this direction out for you, since as you know, I’m incapable of an original thought.

Kevin said “Actually, I think the vendor (integrator) poses substantially greater risk than the manufacturer in many instances.  If the vendor’s support team has remote electronic access to the entity’s systems, you have opened a path that you cannot completely control and protect from.  Bear in mind that recent attacks have exploited a vendor and its connection to the real target.

“Yes, the manufacturer can make a product that has security risks (poor coding, poor testing, huge complexity, poor hardware quality controls, etc.), but you can more readily mitigate that risk than you can when you rely on a trusted communication path with a third party.”

Good points, Kevin and Brandon! Keep them coming…(and while I’m at this, I’d like to apologize to about 4 or 5 people that have written in with good ideas related to posts I’d put up in recent months. I’d promised to write a post on each one of those ideas, yet because of the press of work – and the fact that the Russians and Lew Folkerth have been continually demanding my attention – I haven’t done that).

Tom

PS: (a few hours later) It occurred to me that by juxtaposing Lew Folkerth with the Russians in a single sentence, I might have inadvertently lent credence to the wild rumors about Lew colluding with the Russians in their various nefarious activities in the US. Let me be perfectly clear: I have investigated these rumors, and I have found no indictable evidence that Lew Folkerth colluded with the Russians in any way!


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

1 comment:

  1. I'm not convinced that this splitting of hairs between vendors, suppliers, manufacturers, integrators, et al, is leading anywhere productive. In the manufacturing world, a Bill of Materials is defined as having just a single level, with the understanding that the level below may itself include other BOMs. So it's just a matter of how many levels down you have to go before you get to the "base ingredients." Which may differ from component to component.

    In that analogy, a defect can be introduced at any level in the chain. Same situation here.

    Not sure that I agree that an integrator poses any more threat than a manufacturer. The risks may differ, but they still exist. You'd have to do (probability) * (potential impact) for each risk to have any idea. As you wrote several months ago, risk assessment is a very personal thing for each utility.

    ReplyDelete