Detecting 3rd Party Vulnerabilities

I recently read a research report by Claroty on their work detecting vulnerabilities in various OPC protocol stacks. The vulnerabilities were disclosed and ‘corrected’ last year by the vendors identified in the report. It is an interesting report, though perhaps a little to cyber geek for my level of expertise, but certainly a worthwhile contribution to the cybersecurity literature. It does, however, leave an important question unanswered.

The vendors identified in this report, like those that have been recently reported in TCP/IP stack vulnerabilities, are not vendors (or at least the affected products) that control system owner/operators typically deal with on their plant floors. The vulnerable products are used, however, as third-party components of many of those products in everyday industrial control system settings. We have seen only a limited number of advisories about these vulnerabilities in vendor products that are being bought by industry. Does that mean that these vulnerabilities do not impact the actual owner/operators of control systems? That is the $64 million question.

In some unknown number of cases, vendors may have already included in their equipment design programming ‘fixes’ that mitigate these third-party vulnerabilities. They may not even have known that they were mitigating vulnerabilities. Unrelated design decisions and program utilizations may have already taken care of the problems.

In an equally unknown number of cases, vendors are working hard at correcting the problems caused by these vulnerabilities by either incorporating the updated third-party software or specifically reworking their programming to neutralize the effects of the vulnerabilities.

Unfortunately, the third case, again in an unknown number of cases, the vendor is quietly holding their breath and hoping that no one will notice that their equipment is vulnerable to these third-party vulnerabilities.

How is an owner/operator of a control system to know which case applies to the systems in use on their production floor? There is not a good answer to that question. Aside from taking the proof-of-concept code available in research reports like those in the Claroty UPA paper and crafting a test of their own equipment (and how many owner/operators have that level of engineering support on hand?) there is not currently a good way to know.

The researchers who report these vulnerabilities do not have the time, and most certainly not the resources, to test every possible control system device to see if it is affected by these third-party type vulnerabilities. What they could do, with some unknown level of additional effort, is to provide code testing protocols for owner/operators to use to test their systems to see if they would be impacted by the vulnerabilities. This could even be a product that they could sell to help compensate them for the extra work.

NTIA to Hold Workshop on Software Component Transparency

Yesterday the National Telecommunications and Information Administration (NTIA) published a notice in the Federal Register (83 FR 26434-26436) announcing a meeting of a multi-stakeholder process on promoting  software component transparency on July 19^th, 2018 in Washington, DC.

The Meeting

NTIA intends for this to be the first of a series of meetings to address this issue. As such the objective for this first meeting includes:

• Share the perspectives and concerns of both the vendor and enterprise customer communities;

• Discuss and acknowledge what is already working;

• Explore obstacles and challenges for greater transparency and better risk decisions;

• Identify promising areas of potential collaboration;

• Engage stakeholders in a discussion of logistical issues, including internal structures such as a small drafting committee or various working groups, and the location and frequency of future meetings; and

• Identify concrete goals and stakeholder work following the first meeting.

This meeting will be open to the public on a first-come, first-served basis, but there will be limited seating. The meeting will be webcast. The information on the web cast will be made available on the Software Transparency web site (note: the link in the FR notice is incorrect).

Commentary

The notice provides an excellent discussion about the importance of being able to identify 3^rd party components of software packages. This is a problem that I have pointed out on a number of occasions (see here for example) in relation to 3^rd party vulnerabilities in industrial control system products. This should be an interesting discussion.