Thursday, August 20, 2020

What the EO should really be concerned with



If you're looking for my pandemic posts, go here.

Kevin Perry sent me a link to a great article today. It starts “A security flaw in a series of IoT connectivity chips could leave billions of industrial, commercial, and medical devices open to attackers.” I’ll let you read the article, but the bottom line is this is a serious vulnerability that could lead to outside attackers taking control of IIoT and medical devices. IBM discovered this vulnerability in 2019 and has been working with the manufacturer on a software patch since then (it’s amazing that it took more than eight months to develop the patch. We’re all lucky the vulnerability wasn’t discovered first by say Russia or al Qaeda).

Here’s a question: The Executive Order is supposedly concerned about big supply chain threats to the US grid. Would this threat be addressed by it? Of course not. The EO just addresses threats originating in products produced by organizations located in, controlled by or influenced by “foreign adversaries”. At the moment, France (where the company that makes the chips is located) isn’t on the list.

Of course, the biggest problem with the EO is it just focuses on threats from nation states. It wouldn’t take a nation state to exploit this vulnerability and cause widespread damage to the power grid (whether or not it caused an actual cascading outage. The people left in the dark aren’t going to take a lot of solace from the fact that the cause wasn’t a cascading outage).

And by the way, this definitely shows the need for hardware bills of materials as well as software bills of materials. The big difference between the two is there’s absolutely no excuse for a hardware manufacturer not to have a detailed BoM for their products (since they couldn’t have manufactured it without one). There’s also no excuse for them not to immediately notify you of this vulnerability, as well as provide you the patch. Of course, if you look through the reports and think that one or more hardware manufacturers whose products are in your environment (whether or not they’re in an ESP) might include this chip module, you shouldn’t wait for them to notify you – you should call them to ask. And if they say they just don’t know, you need to look for a replacement for that hardware ASAP. 

And what should be done with the EO? Here's an idea: Let's ignore the foreign adversaries nonsense. Let's treat it as an order to a) discover the most serious supply chain cybersecurity threats facing the US grid, regardless of their source, and b) take steps to mitigate them. As I mentioned in this post, vulnerabilities in hardware components are definitely a threat, but this is also not a threat that any one utility has the resources to analyze - this has to be undertaken by the Feds, presumably DoE (with help from DoD, since they're doing lots of work like this now). 

Then we might turn this sow's ear into a silk purse.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Are you hot at work – or should be – on getting ready for CIP-013-1 compliance on October 1? Here is my summary of what you need to do between now and then.


No comments:

Post a Comment