I mentioned in a blog post this weekend that HR 4251 addressed supply chain security issues and noted that what it looked at was very different from what the cyber security community was concerned about when it talks about ‘supply chain security’. With that in mind I read an interesting article over on NextGov.com about cyber supply-chain security concerns in the Federal government that is well worth looking at.
The article is based, in large part, on information provided by a recent GAO report on IT Supply Chain security. That report lists the following threats to the IT Supply Chain (pg12, 16 Adobe):
• Installation of hardware or software containing malicious logic;
• Installation of counterfeit hardware or software;
• Failure or disruption in the production or distribution of critical products;
• Reliance on a malicious or unqualified service provider for the performance of technical services; and
• Installation of hardware or software that contains unintentional vulnerabilities.
While the next couple of pages in the report discuss each of these threats in some detail, nowhere does it mention control systems. This is not terribly surprising since most of the Federal government does not make anything, so non-military control systems are few and far between. Even so a quick look at the descriptions by someone with a control system background will see that there are potentially clear links between these types of threats and control systems.
The GAO report goes on to look at specific examples of cyber supply-chain vulnerabilities (pgs 16-17 Adobe 20-21). They include:
• Acquisition of information technology products or parts from independent distributors, brokers, or the gray market;
• Lack of adequate testing for software updates and patches;
• Incomplete information on IT [cyber] suppliers; and
• Use of supply chain delivery and storage mechanisms that are not secure.
Once again it is clear that these vulnerabilities would also apply to control systems applications.
The GAO report looks at how well three ‘National Security-Related Agencies’ (Defense, Homeland Security, Energy and Justice) have addressed these supply chain security issues. They note that DOD has the most complete program in place, but even it has not yet developed outcome-based performance measures to track their performance. DOJ has identified protective measures, but has not yet put forth a plan for implementing those measures or developed a tracking system to gauge performance. According to the report DOE and DHS have not yet done even that much.
Private Sector Requirements
To date, Congress has completely ignored this issue whenever the subject of cybersecurity has come up. I have yet to see any significant mention of requiring the private sector to look at IT supply chain security issues in any of the cybersecurity bills introduced to date.
It is possible that DHS could require supply chain security issues to be addressed in cybersecurity plans required under HR 2102. It is unlikely, however, given the Department’s poor record on developing and implementing in-house plans for their IT resources.
One would like to think that responsible owners and operators of control systems would already have such measures in place, or were at least developing such measures. I would be surprised, however, if any but the largest organizations have even considered this issue in developing the minimalistic cybersecurity plans that actually exist. I would bet that the vast majority of control systems owners, most of which have no cybersecurity efforts to speak of anyway, have not even considered the threats listed above as part of their facility security plans.
We already have a large number of control system security issues that are going to have to be addressed. This is just one more that needs to be added to the list.