One of the most critical, but potentially overlooked areas of recent vulnerability advisories in industrial cyber security are those related to supply chain. Beyond the newly appointed U.S. DoD CMMC framework for designated industries, NERC CIP-13 or BOMs for FCC certification by top tier vendors, there are a lot of misunderstandings and a lack of understanding of the security of packaged software products (including their embedded variants).
Regardless of not knowing what X organization may possess or even at what configuration it may be running in, there were several high-profile supply chain-related announcements in 2020 (e.g., Ripple20, Treck/IP, URG11, Amnesia:33, etc.).
However, when you review the advisories, you find almost none of them are related to these “hot topic’ vulnerabilities. Many vendors argued that these were overstated for ICS devices. Some released private advisories on their websites for customers regarding potential devices. But finding these vulnerabilities within the ICS inventory of an organization is often very difficult without specialized tools.
In both 2019 and 2020, roughly the same amount of supply chain/component related advisories were issued. There are several issues with the reporting system, but the decrease in 2020, and the increase of products on the market hints at a hidden issue lurking below the surface; this is not limited to embedded systems, but software that has statically compiled dependencies, uses third-party libraries (FOSS or purchased/COTS), and more.
With relation to supply chain issues: Verve predicts that in 2021, many asset owners and researchers will assess more device firmware for inherently insecure components which could result in:
- Explosion of ICS-related CVEs at the device level, which will require an increased emphasis on detailed inventorying, monitoring, and segmentation.
- Supply chain consequences for vendors, integrators, and asset owners will become a large focus for any security-focused organization moving forward (especially under NERC CIP), but also will demonstrate how insecure assets likely are under the hood.
- Increased need to interact with, manage configurations, and patch/update Internet of Things (IoT) devices.
- Decoupling of vendor applications from the core/base operating system by way of fewer proprietary operating systems or components will continue to increase.
- ICS/device/application security needs to improve – most vulnerabilities are due to poor software engineering, and many of the obvious or easily exploitable vulnerabilities would have been found during a thorough Cyber Security Factory Acceptance Test and/ Site Test (CFAT vs. CSAT)
- Many devices ship with poor security settings and integrators/asset owners deploy them in a state where improved security features are not used even though they are present or with default credentials.
- New legislation regarding software security, integrity, and supply chain management required for critical infrastructure or even IoT for consumers.
- Organizations that actively disclose AND remediate vulnerabilities (vs. posting a disclosure without a concrete solution) may be more advanced in their security practices than those who do not.
- Alternatively, organizations that take a proactive stance on disclosing security issues (even without issues) may also be more advanced than those that have few security postings overall (often due to business/legal decisions for right or wrong).
Risk Management in Supply Chain Cyber Security
To manage these growing supply chain vulnerabilities, Verve has a new partnership between with aDolus Technology to provide the deepest visibility into OT risk. Our combined offering is the only platform that enables end users to manage the security of their ICS/OT endpoints down to vulnerabilities in hidden subcomponents.
The combination of Verve’s agent & agentless platform along with aDolus’ FACT platform allows us to bring full risk visibility together. Verve gathers the deepest software inventory available from all endpoints – not just an OS version but all software applications, firmware versions, etc. all the way down to devices through the backplane of PLCs. We can then combine that data with the FACT platform to assess whether the firmware on each device has components that may be hidden vulnerabilities in the environment. The combination of deep visibility into the OT environment and the open FACT platform of supply chain risk offers the deepest vulnerability view available.
Watch our on-demand webinar where Ron Brash of Verve Industrial and Eric Byres of aDolus Technology will share how to use information from your asset inventory to supplement CVEs where there are gaps. You’ll get an inside look into how the FACT platform enhances what we see in OT environments, even when OEMs and vendors do not publish all the vulnerabilities