This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,540 items added with 671,990 views
  • Dec 20, 2020
  • 1210 views

The author of this article, Eric Byers, is a well known cybersec expert in ICS communities. His new Company, adolus, is working to help companies identify risks in software supply chains. Other companies are also working on software supply chain risk assessment solutions, e.g. Fortress and, my Company, Reliable Energy Analytics LLC. Solutions for software supply chain risk assessments are really just in their infancy, however their valuable role in helping companies identify and prevent harmful software from being installed is becoming an imperative. There is much room for improvement with these software risk assessment tools, however the solutions available today are effective at identifying known culprits and notifying Companies of the inherent risk they face if they decide to install a "Risky" software package.  It's surprising to me that more Companies are not using software supply chain risk assessment solutions to protect themselves from harm - maybe the Solarwinds incursion will serve as a catalyst for greater adoption for these solutions.  Here are some key takeaways from Eric's article that I find insightful, pragmatic and prudent:

  • This blog is not going to tell you that there is a silver bullet out there. There isn’t. Supply chain attacks are very difficult to detect. But the lack of an easy solution doesn't mean we can't learn from the attack (and make life much more challenging for the next attacker).
  • Just last month we saw trojanized security software hit South Korea users in a supply chain attack that, like SUNBURST, also involved signed code [RJB signed software needs to be treated as "guilty" until proven innocent]
  • Clearly supply chain exploits are now a core tool in the cyber-weapons toolbox
  • The second takeaway is that software code signing alone is poor defence against supply chain attacks. [RJB - Totally agree]
  • To be 100% clear, I am not saying that code signing, SBOMs, or network monitoring are bad. I’m a big proponent of all three as critical tools in our cyber-defence toolbox. My company even generates SBOMs for ICS software companies. But SBOMs or code signing or the tool "du jour" are limited when used on their own.  [RJB, I agree Eric, each of the items you list are just part of a comprehensive, best practices, software supply chain risk assessment - see the Energy Central PowerSession from 8/12, on demand, for a best practices approach to software supply chain risk assessments based on the NIST Cybersecurity Framework V1.1]
  • What we need is a way to coordinate the information about the software we use in our critical systems. [RJB, I agree with Eric, Never trust software, always verify and report!]
  • We need cooperation on software threats and vulnerabilities across companies and sectors. We need coordination between vendors, users, and consultants. And we need that cooperation to be in real time, not after the fact.  [RJB, Well said, Eric; you can count on Reliable Energy Analytics LLC to stand with you and adolus in the pursuit of this goal.]

Excellent piece, Eric - well done.

Never trust software, always verify and report!

 

Discussions
Matt Chester's picture
Matt Chester on Dec 21, 2020

This blog is not going to tell you that there is a silver bullet out there. There isn’t. Supply chain attacks are very difficult to detect. But the lack of an easy solution doesn't mean we can't learn from the attack (and make life much more challenging for the next attacker).

In your opinion, would it be fair to say that this also shows how much harder it is for the 'good guys' to play defense than it is for the 'bad guys' to go on the offensive? It seems the cybersecurity professionals need to play the role of every potential bad actor out there to anticipate what might be coming their way, while those bad actors simply need to find the single vulnerability that was overlooked. 

Eric Byres's picture
Eric Byres on Dec 27, 2020

Great Question Matt!

Yes it is currently harder in the cybersecurity defence world for the 'good guys' than it is for the 'bad guys'. However, I believe it won't stay that way. Eventually the tables will turn, just like they have in all other security-related fields, such as physical bank security.

There was a time that robbing banks was a lucrative business model - today only the desperate try to rob banks:

"the evolution of anti-robbery technology has made it much more difficult to rob a bank and get away with it in the modern era. Exploding dye packs, security cameras, and silent alarms have all contributed to the drop in successful bank robberies" - crimemuseum.org

Even cybersecurity hacking has become more difficult - offensive actors typically need to exploit multiple vulnerabilities to achieve their objective. For example, the sophistication of the Cosy Bear team is impressive - they used multiple techniques and exploits to eventually get to their intended victims.

Every move along a kill chain offers defenders an opportunity to detect the attackers and stop them. For example, the recent Microsoft blog on the compromised DLL file highlights some of this complexity and shows at least five points where the attackers might have been detected. 

Unfortunately with our currently security models and poor communication between defenders, we aren't taking advantage of these detection points. The attackers are becoming more coordinated and professionalized, while the defenders still are working as individual companies. Communications up and down the supply chain are poor. For example, when the primary method to get vulnerability notices from your supplier is an emailed human readable PDF and every supplier uses a different layout, there is little chance to automate your defence. As a result, for many companies vulnerability management is largely a case of "when I get to it". That gives attackers with good automation a real advantage over the defenders.

Hopefully these latest attacks will drive better inter-company communications through-out the industry. When we can get vulnerability notices, SBOMs, end-of-life reports and malware indicators all in a coordinated format from every supplier, then we will start to turn the corner. 

Regards

Eric
CEO, aDolus Technology 

Matt Chester's picture
Matt Chester on Dec 28, 2020

Thanks for the detailed response, Eric-- and I love the parallel with the development of physical security through bank robberies and the defense that has made that just a thing of Hollywood movies now. 

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »