Last Friday, I watched an excellent webinar on software supply chain security, which focused on aDolus – a really interesting company offering a potentially very useful service for supply chain security. The webinar started with an excellent presentation on supply chain security by Patrick Miller – who I believe needs no introduction to anybody in the North American electric utility cybersecurity/CIP compliance world. In his presentation, Patrick focused on both hardware and software supply chain security risks.
After Patrick spoke, there was an active chat session
conducted on the webinar site. Somehow it moved to the subject of hardware vs.
software supply chain risks (or maybe I moved it myself. I can’t remember, and
I don’t have access to the chat text now). I expressed the opinion that supply
chain risks to software were much more pervasive than supply chain risks to
hardware (I’ve hinted at this idea in several posts, but never devoted a post
to it. I hope to do so in the not-too-distant future).
Was this last statement simply an intuition due to pure
brilliance on my part? I’m afraid not. It was definitely due to brilliance, but
not mine – rather, that of Matt Wyckhouse, the founder and CEO of Finite
State, which is another very interesting company. I’ve known Matt since the
beginning of this year, but what I said about firmware attacks came from a very
good paper
from Finite State entitled “Huawei Supply Chain Assessment”, and specifically the
section titled “SUPPLY CHAIN SECURITY CHALLENGES”, which starts on page 12.
I will summarize the discussion I think is most relevant
from this section, but I strongly recommend you read the whole section, because
there is a lot more in there. What I said about firmware is based on the
following chain of logic, which isn’t exactly in the order it’s presented in
the paper:
·
A vulnerability is a flaw in software or
firmware, and a backdoor is a vulnerability that is uniquely known to the attacker. Of course, at least 95% of backdoors (or
so I would think) are intentionally inserted by the manufacturer to make it
easier for them to troubleshoot the device later.
· There are three kinds of supply chain cybersecurity attacks: hardware, firmware and software. A hardware supply chain attack requires physically altering the microcode of a microprocessor or a field programmable gate array, or adding another component onto a board that can enable access or data exfiltration. These attacks are fiendishly difficult to execute; moreover, “No software defenses can truly overcome a hardware backdoor, and they cannot be patched after detection.”
·
Of course, we know there are software supply
chain attacks. They usually involve insertion of a backdoor or a hidden user
account. These happen regularly. I discussed two examples in this
post and this
one.
·
And then there are supply chain attacks on
firmware. To understand why I say there’s never been a supply chain attack on
firmware, read the section titled “Modern Electronics Supply Chains” on pages
12 and 13 of the report. That section describes the complex web of suppliers and
integrators that contribute to a component that goes into an electronics
product, each of which contributes to the final firmware image, with no
supervision of the overall process.
·
The section concludes by saying “In the end,
that image could contain software written by thousands of engineers at dozens
of companies across many different countries.” Of course, this inevitably
results in lots of vulnerabilities (certainly many more than are found in most
software products).
I need to confess that I told Patrick on Friday that there’s never
been a supply chain cyberattack on firmware; that isn't accurate. It is accurate to
say that it would be close to impossible, if a vulnerability
were exploited in a cyberattack, for an investigator ever to conclude it was due to a
supply chain attack (i.e. a backdoor) - rather than just due to somebody exploiting
one of the numerous vulnerabilities found in your average firmware package.
And it’s those numerous vulnerabilities that point to another reason why it’s unlikely there will ever be a clear supply chain attack on firmware: With so many different vulnerabilities to exploit in firmware, why would your average Joe Hacker – or even your average Vladimir Nation-State – go to all the trouble of crafting and executing a supply chain attack? As Patrick pointed out in his presentation, supply chain attacks are awfully hard to execute and usually take a lot of resources; it’s better to go in the wide-open front door, not the back door with multiple locks, a security camera and guard dogs. After all, cyber-attackers need to pay attention to costs, just like the rest of us do.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment