I recently wrote a post
that gave a good example of how software
bills of materials can make your control systems (and other systems, of
course) more secure by allowing you to learn of vulnerabilities that apply to
components embedded in the software you use. Because the developer that wrote the
software you’re running might intentionally or unintentionally not inform you
of the vulnerability in one of their components, having an SBOM will allow you
to proactively reach out to the supplier and – very politely, of course – ask them
when they will be patching this vulnerability, or otherwise providing a mitigation
for it.
A few days after I wrote that post, I saw in the weekly newsletter
of Protect our Power (which BTW provides
a great list of recent articles and posts of interest to people involved or
concerned with protecting the grid against cyberattacks), a link to this
article, which describes a set of vulnerabilities that have been recently identified
in CodeMeter, a software component sold by Wilbu Systems. The article says the component
is “licensed by many of the top industrial control system (ICS) software
vendors, including Rockwell Automation and Siemens. CodeMeter gives these
companies tools to bolster security, help with licensing models, and protect
against piracy or reverse-engineering.” At least one of the vulnerabilities has
a CVSS v3 score of ten (out of ten), which is the critical level.
What most caught my eye in this article were these two
paragraphs:
According to ICS-CERT, Wibu-Systems recommends that users
update to the latest version of the CodeMeter Runtime (version 7.10). Affected
vendors like Rockwell and Siemens have released their own security advisories,
but researchers warn that, due to CodeMeter being integrated into many leading
ICS products, users may be unaware this vulnerable third-party component is
running in their environment.
“CodeMeter is a widely deployed third-party tool that is
integrated into numerous products; organizations may not be aware their product
has CodeMeter embedded, for example, or may not have a readily available update
mechanism,” warned researchers.
In other words, you need to check with your ICS (OT) software
(or perhaps hardware) supplier to a) find out if CodeMeter is including in
their product, and if so b) ask what they’re going to do to fix this problem. But
if you had a software bill of materials for each piece of software in your environment,
you probably wouldn’t need to check with the suppliers. Except, of course, if you
saw on the SBOM that the component is included in one of your products. Then
you still need to do b).
This is just another reason to start asking for SBOMs from all of your software suppliers. Although my guess is in 2-3 years you won’t have to ask – you’ll receive an SBOM with the software.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment