The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

Seriously…never buy vulnerability-free software!

Tom Alrich's picture
Supply chain Cybersecurity Risk Management and NERC CIP-013 consulting Tom Alrich LLC

Currently with Tom Alrich LLC, I provide strategy and compliance consulting to electric power industry clients and vendors to the power industry, focusing on the NERC CIP cybersecurity standards....

  • Member since 2018
  • 313 items added with 89,056 views
  • Jun 20, 2022
  • 147 views

 

In this recent post (and a couple subsequent ones), I discussed an interesting presentation by Tom Pace of NetRise. In it, he described how he’d found 1,237 vulnerabilities by identifying components in the firmware in a device that’s used in many ICS environments.

Having vulnerabilities – and sometimes a lot of them – is certainly not unique to this product. Why did I write three posts about this discovery? The problem is that, were you to look for vulnerabilities for that product in the National Vulnerability Database (NVD), you would get the message “There are 0 matching records.” Sounds good, doesn’t it? No vulnerabilities at all! That conclusion is true, except it’s off by 1,237 vulnerabilities.

Now, suppose you were comparing three products in advance of a procurement decision, and you look up vulnerabilities for all three. For two of them, you find a handful of vulnerabilities, but for the third product, you get the above message. Would you tell the first two vendors, “Thanks, but no thanks”, and write up your PO for the third vendor? I’m sure many organizations would.

Of course, this would be a mistake, since Tom found 1,237 vulnerabilities listed for components in just the firmware of this device. But it turns out the true story is worse: Tom said last week that after further analysis, he identified 2,200 vulnerabilities in components included in the device’s firmware. Even worse, after analyzing all of the software installed in the device, he estimates there are around 40,000 component vulnerabilities in the whole device. That’s a lot.

To be sure, these aren’t all exploitable vulnerabilities. As I’ve mentioned often, probably 90-95% of vulnerabilities identified in software and firmware components within a device aren’t exploitable in the device itself, often because of how the component was implemented. Let’s say that the percentage for this device is 95%, meaning only 5% of the identified vulnerabilities are exploitable. That’s still 2,000 exploitable vulnerabilities in a single device

This is obviously not good, but what’s even worse is the fact that not a single one of these 2,000 exploitable vulnerabilities appears in the NVD. They don’t appear because the supplier never registered the product. If the supplier (or somebody else) doesn’t register a product, it doesn’t get a CPE name. And if it doesn’t have a CPE name, nobody can report vulnerabilities for the product to the NVD. The product will appear to be perfect – no vulnerabilities, either current or reported in the past.

In fact, this supplier is so good that they’ve never registered any of their 50 or so products – meaning everything this supplier makes has a perfect record! Moreover, they don’t even mention the word “security” or “vulnerability” on their website. Why should they, given that all of their products are perfect?

Of course, that company’s products aren’t perfect – just the opposite. And the company is hardly unique. There are lots of other companies that haven’t registered some or all of their products on the NVD, meaning that anyone searching for vulnerabilities in those products will also get the message, “There are 0 matching records.”

What does all this means? I hope you’re sitting down, since I need to give you some bad news: There are no perfect products or perfect suppliers (there’s also no Santa Claus or Easter Bunny. Might as well give you all the bad news at once). You should never interpret the fact that you can’t identify vulnerabilities for a software product (or intelligent device) in the NVD (or any other vulnerability database, of course) to mean that the product doesn’t have vulnerabilities.

But there’s more to it than that. Not only should you stay away from “perfect” products, but you should also deliberately favor products that show a lot of vulnerabilities in the NVD. Why is this? Remember, vulnerabilities are almost always reported by the suppliers themselves. Would you rather buy a product from a supplier that has only reported a few vulnerabilities in the past year or two, or from one that has reported a lot of them? If a supplier has only reported a few vulnerabilities, this doesn’t mean they’re good; on the contrary, it probably means they’re clueless in cybersecurity matters. It means the supplier isn’t looking very hard – or not at all – for vulnerabilities, so they’re not finding many.

Steve Springett, who I’ve written about a number of times and who is tasked with helping 2,000 coders produce secure software in his day job, said last week that his company deliberately favors products for which there are a lot of reported vulnerabilities. They consider this a sign that the supplier is diligently seeking out vulnerabilities, not waiting for their product to be hacked.

So not only should you avoid “perfect” products, but you should actually seek out suppliers that have reported a lot of vulnerabilities. Of course, you also want to make sure that such a supplier hasn’t left serious vulnerabilities unpatched. My guess is, if a supplier has found and reported a lot of exploitable vulnerabilities, they’ve also done a good job of patching them. In fact, the supplier should report vulnerabilities, even if they’re patched.[i] That’s the only way the rest of the world will learn about the real impact of particular vulnerabilities.

Any opinions expressed in this blog post are strictly mine, and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] There are limits to this suggestion. I know that suppliers discover vulnerabilities in products under development all the time, and patch them immediately. I don’t think they need to report those. But when a vulnerability develops in a product that’s already on the market, they always need to report it – along with providing the patch, of course.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Jim Stack's picture
Jim Stack on Jun 20, 2022

Software is soft which is changeable so you can adjust and fix it. Firmware that you mention if firm and not normally accessable  to the user and can't be changed. It would be much harder to fix since a new chip would have to be issued and installed to fix firmware. 

     Stopping hackers with security like firewalls would be the best solution. Also monitoring all use on the site would be another good step. Limiting access can prevent a lot of future problems. 

Tom Alrich's picture
Tom Alrich on Jun 20, 2022

Jim, there's zero chance that someone will change either software or firmware after it's installed. The problem is that the coding of the software or firmware contains vulnerabilities, both existing vulnerabilities and new ones that haven't been discovered yet. These were "baked in" when the software or firmware was written. Firmware is loaded onto electronically-programmable chips, and unlike software, it can be changed before it's installed (software can't be changed after it's compiled).

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »