Wednesday, September 25, 2019

Bruce Schneier on supply chain risk



The Times ran a very readworthy article by Bruce Schneier today. In case you don’t know, Bruce is one of the great figures in cybersecurity. I’ve sometimes felt his articles were a little overblown in the past, but this one is spot on. He isn’t saying that all computing or telecomm equipment that we buy nowadays is riddled with back doors, but rather that there is currently no purely technical solution to this problem – so even if everything we buy has a backdoor, it’s very unlikely we’d ever know it, until of course bad things start happening.

While he doesn’t take the next step, I will for him: Organizations need to start assuming there are back doors in almost all hardware and software they buy, and perform a risk assessment before installing any hardware or software that might perform a critical function, such as – need I say it? – any system that could impact the Bulk Electric System.

A lot of the discussion on CIP-013 compliance has focused on contract language, and specifically language implementing requirements R1.2.1 – R1.2.6. This is understandable, since the path to successful NERC CIP compliance up until CIP-013 (with a few exceptions like CIP-014 and CIP-003-7/8) has been to be laser-focused on the exact wording of the requirements.

But let’s be clear: R1.2.1-R1.2.6 don’t do anything to mitigate the backdoor problem (R1.2.5, covering authenticity and integrity of patches and other software obtained electronically, makes sure that what you download is exactly what the supplier developed. But it doesn’t cover the case that the supplier’s development process itself was compromised, as happened to Juniper Networks in 2015 and to Delta Airlines last year – and which is of course what Bruce is writing about in this article).

R1.1 requires you to “identify and assess” supply chain risks to BCS. Since there are at least thousands of those risks, your job (Mr/Ms NERC entity) is to determine what are the most critical risks and mitigate those. The risk of backdoors in hardware and software will hopefully be among the risks that you choose to mitigate.

The tools for protecting your BES Cyber Systems (or any system, of course) from backdoors are all procedural: Don’t buy from unauthorized or unknown vendors; make sure hardware products are shipped securely to you (tamper tape, etc); perform a risk assessment before installing or upgrading any BCS hardware or software; etc. And not only should you follow those procedures, you should require your suppliers and vendors to do the same, through contract language and other means. In fact, you should also require your suppliers and vendors to have a supply chain cyber security risk management program, so that they require these same procedures of their suppliers.

Even though Bruce’s article isn’t aimed at the power industry, it’s one of the two industries he specifically mentions in his concluding sentence: “The risk from Chinese back doors into our networks and computers isn’t that their government will listen in on our conversations; it’s that they’ll turn the power off or make all the cars crash into one another.”


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.


No comments:

Post a Comment