In yesterday’s
post,
I pointed out comments that Brandon Workentin of Forescout Technologies had
made about an earlier post
that made the distinction between vendors and suppliers - and that distinction
had been brought up to me by John Work of the Western Area Power Administration.
Do you get the feeling that in this blog I’m gathering fame and vast fortune just
by exploiting the ideas of others? 
If you’re
not sure about the answer to that question, let me point out that this post
simply repeats verbatim an email that Kevin Perry, former chief auditor of SPP
Regional Entity but now “retired”, sent me today. Brandon had pointed in a
different direction than I’d pointed in the first post, and now Kevin goes further
in that direction. I won’t spell this direction out for you, since as you know,
I’m incapable of an original thought.
Kevin said “Actually,
I think the vendor (integrator) poses substantially greater risk than the
manufacturer in many instances.  If the
vendor’s support team has remote electronic access to the entity’s systems, you
have opened a path that you cannot completely control and protect from.  Bear in mind that recent attacks have
exploited a vendor and its connection to the real target.
“Yes, the
manufacturer can make a product that has security risks (poor coding, poor
testing, huge complexity, poor hardware quality controls, etc.), but you can
more readily mitigate that risk than you can when you rely on a trusted
communication path with a third party.”
Good points, Kevin and Brandon! Keep them
coming…(and while I’m at this, I’d like to apologize to about 4 or 5 people
that have written in with good ideas related to posts I’d put up in recent
months. I’d promised to write a post on each one of those ideas, yet because of
the press of work – and the fact that the Russians and Lew Folkerth have been
continually demanding my attention – I haven’t done that).
Tom
PS: (a few hours later) It occurred to me that by juxtaposing Lew Folkerth with the Russians in a single sentence, I might have inadvertently lent credence to the wild rumors about Lew colluding with the Russians in their various nefarious activities in the US. Let me be perfectly clear: I have investigated these rumors, and I have found no indictable evidence that Lew Folkerth colluded with the Russians in any way!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
 
I'm not convinced that this splitting of hairs between vendors, suppliers, manufacturers, integrators, et al, is leading anywhere productive. In the manufacturing world, a Bill of Materials is defined as having just a single level, with the understanding that the level below may itself include other BOMs. So it's just a matter of how many levels down you have to go before you get to the "base ingredients." Which may differ from component to component.
ReplyDeleteIn that analogy, a defect can be introduced at any level in the chain. Same situation here.
Not sure that I agree that an integrator poses any more threat than a manufacturer. The risks may differ, but they still exist. You'd have to do (probability) * (potential impact) for each risk to have any idea. As you wrote several months ago, risk assessment is a very personal thing for each utility.