If you're looking for my
pandemic posts, go here.
Kevin Perry sent me a link
to a great article today. It starts “A security flaw in a series of IoT connectivity
chips could leave billions of industrial, commercial, and medical devices open to
attackers.” I’ll let you read the article, but the bottom line is this is a
serious vulnerability that could lead to outside attackers taking control of IIoT
and medical devices. IBM discovered this vulnerability in 2019 and has been
working with the manufacturer on a software patch since then (it’s amazing that
it took more than eight months to develop the patch. We’re all lucky the
vulnerability wasn’t discovered first by say Russia or al Qaeda).
Here’s a question: The Executive
Order is supposedly concerned about big supply chain threats to the US grid.
Would this threat be addressed by it? Of course not. The EO just addresses threats
originating in products produced by organizations located in, controlled by or
influenced by “foreign adversaries”. At the moment, France (where the company
that makes the chips is located) isn’t on the list.
Of course, the biggest problem
with the EO is it just focuses on threats from nation states. It wouldn’t take
a nation state to exploit this vulnerability and cause widespread damage to the
power grid (whether or not it caused an actual cascading outage. The people
left in the dark aren’t going to take a lot of solace from the fact that the cause
wasn’t a cascading outage).
And by the way, this definitely
shows the need for hardware bills of materials as well as software
bills of materials. The big difference between the two is there’s
absolutely no excuse for a hardware manufacturer not to have a detailed BoM for
their products (since they couldn’t have manufactured it without one). There’s
also no excuse for them not to immediately notify you of this vulnerability, as
well as provide you the patch. Of course, if you look through the reports and
think that one or more hardware manufacturers whose products are in your environment
(whether or not they’re in an ESP) might include this chip module, you shouldn’t
wait for them to notify you – you should call them to ask. And if they say they
just don’t know, you need to look for a replacement for that hardware ASAP.
And what should be done with the EO? Here's an idea: Let's ignore the foreign adversaries nonsense. Let's treat it as an order to a) discover the most serious supply chain cybersecurity threats facing the US grid, regardless of their source, and b) take steps to mitigate them. As I mentioned in this post, vulnerabilities in hardware components are definitely a threat, but this is also not a threat that any one utility has the resources to analyze - this has to be undertaken by the Feds, presumably DoE (with help from DoD, since they're doing lots of work like this now).
Then we might turn this sow's ear into a silk purse.
Any
opinions expressed in this blog post are strictly mine and are not necessarily
shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
Are
you hot at work – or should be – on getting ready for CIP-013-1 compliance on
October 1? Here is my summary of what you need to do between now and then.
No comments:
Post a Comment