Wednesday, April 10, 2024

Are you sure this is “critical” infrastructure?

 

My friend Mike Barlow put up a great post on LinkedIn this week, which points out a huge irony regarding critical infrastructure (including most devices that run power substations, gas pipelines, oil refineries, etc.): While CISA and others are constantly advocating for use of “memory safe” programming languages for new software and firmware, most legacy devices (whether or not they’re for critical infrastructure) operate on definitely-non-memory-safe languages like C and C++.

Mike summarizes this situation quite succinctly: "…your exercise app is probably more secure than the code running at your local electric power station." Does that make you feel safe?

What’s there to be done about this? I dunno. Replacing all that equipment will be tremendously expensive, although obviously any replacement efforts should start with the most critical equipment. Perhaps baby monitors can be left ‘til the end, although I imagine that, being much newer than for example some electronic relays deployed in power substations, the baby monitors have much safer code than the relays.

This is a good example of “technical debt”. We – and probably the rest of the world, except countries with much newer infrastructure, perhaps due to having just come through a war – have a lot of such debt to pay. Of course, I doubt there’s a line anywhere in the federal budget about paying technical debt. As often happens, we’ll wait ‘til things start breaking down. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

My book "Introduction to SBOM and VEX" is now available in paperback and Kindle versions! For background on the book and the link to order it, see this post.

 

No comments:

Post a Comment