The Times ran a very readworthy article
by Bruce Schneier today. In case you don’t know, Bruce is one of the great
figures in cybersecurity. I’ve sometimes felt his articles were a little
overblown in the past, but this one is spot on. He isn’t saying that all
computing or telecomm equipment that we buy nowadays is riddled with back
doors, but rather that there is currently no purely technical solution to this
problem – so even if everything we buy has a backdoor, it’s very unlikely we’d
ever know it, until of course bad things start happening.
While he
doesn’t take the next step, I will for him: Organizations need to start
assuming there are back doors in almost all hardware and software they buy, and
perform a risk assessment before installing any hardware or software that might
perform a critical function, such as – need I say it? – any system that could
impact the Bulk Electric System.
A lot of the
discussion on CIP-013 compliance has focused on contract language, and
specifically language implementing requirements R1.2.1 – R1.2.6. This is
understandable, since the path to successful NERC CIP compliance up until
CIP-013 (with a few exceptions like CIP-014 and CIP-003-7/8) has been to be
laser-focused on the exact wording of the requirements.
But let’s be
clear: R1.2.1-R1.2.6 don’t do anything to mitigate the backdoor problem (R1.2.5,
covering authenticity and integrity of patches and other software obtained
electronically, makes sure that what you download is exactly what the supplier
developed. But it doesn’t cover the case that the supplier’s development
process itself was compromised, as happened to Juniper Networks in 2015 and to Delta
Airlines last year – and which is of course what Bruce is writing
about in this article).
R1.1
requires you to “identify and assess” supply chain risks to BCS. Since there
are at least thousands of those risks, your job (Mr/Ms NERC entity) is to
determine what are the most critical risks and mitigate those. The risk of
backdoors in hardware and software will hopefully be among the risks that you
choose to mitigate.
The tools
for protecting your BES Cyber Systems (or any system, of course) from backdoors
are all procedural: Don’t buy from unauthorized or unknown vendors; make sure
hardware products are shipped securely to you (tamper tape, etc); perform a
risk assessment before installing or upgrading any BCS hardware or software;
etc. And not only should you follow those procedures, you should require your suppliers
and vendors to do the same, through contract language and other means. In fact, you should also require your suppliers and vendors to have a supply chain cyber security risk management program, so that they require these same procedures of their suppliers.
Even though
Bruce’s article isn’t aimed at the power industry, it’s one of the two
industries he specifically mentions in his concluding sentence: “The risk from
Chinese back doors into our networks and computers isn’t that their government
will listen in on our conversations; it’s that they’ll turn the power off or
make all the cars crash into one another.”
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. My offer of a free
webinar on CIP-013, specifically for your organization, has received a
great response, and remains open to NERC entities and vendors of hardware or
software components of BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment