Top | |
Newsletter 6/22/2022 |
Back to Contents A Printable PDF of this post is available here. |
The Next Looming Supply Chain Crisis, Now as I was saying before I was so rudely interrupted... |
That the open source software that powers much of today's industrial infrastructure must be reevaluated from a security viewpoint is now apparent to decision makers across many different sectors of the world economy. It has been reported that "software supply chain attacks grew by more than 300 percent in 2021 in comparison to 2020." A supply chain attack is best defined as: A supply chain attack is a type of cyberattack that targets a trusted third-party vendor who offers services or software vital to the supply chain. Software supply chain attacks inject malicious code into an application in order to infect all users of an app, while hardware supply chain attacks compromise physical components for the same purpose. The CrowdStrike article cited above makes the salient point that "Software
supply chains are particularly vulnerable because modern software is not
written from scratch: rather, it involves many off-the-shelf components,
such as third-party APIs, open source code and proprietary code from
software vendors." MSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Many organizations—ranging from large critical infrastructure organizations to small- and mid-sized businesses—use MSPs to manage ICT systems, store data, or support sensitive processes. Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally. Or put more succinctly in a Press Release issued the same day by the NSA: "MSPs make attractive targets for malicious actors, including nation-state actors, because compromising an MSP network allows for access to and compromise of the provider-customer trust relationships." Of course, developers of open source software based projects are
themselves increasingly aware of the security risks of their products.
In one survey of software developers,
"54% of survey respondents said their firm knowingly releases
software with potential security risks." In the
same survey, "98% of respondents said that using third-party
software, including open-source software increases security risks."
Siemens’ SINEC NMS is a popular tool used by operators to understand how Siemens control systems and operations are functioning on the network, how they’re connected and dependent on one another, as well as their status. The diagnostics and network topology generated by the tool allow operators to see and respond to events, improve configurations, monitor device health, and carry out firmware upgrades and configuration changes. The article referenced above shows a screen shot of the Siemens’
SINEC NMS. The image displays a Windows Network type layout. The display
is an example of the "diagnostics and network topology generated
by the tool allow operators to see and respond to events, improve
configurations, monitor device health, and carry out firmware upgrades
and configuration changes." Thus, access to
Siemens’ SINEC NMS control panel would also provide access to the entire
network. Team82 researched Siemens SINEC and found 15 unique vulnerabilities, that could allow a user to escalate their permissions, gain administrative rights to the system, leak sensitive information, cause a denial of service on the platform, and even achieve remote code execution on the hosting machine using NT AUTHORITY\SYSTEM privileges. The programming language behind the Siemens’ SINEC NMS is
JavaSpring. We might remember that
vulnerabilities in a Java Library launched the Log4J debacle.
These systems impact everyone at one time or another.
|
Back to Top Gerald Reiff |
Back to Top | next post → |