By Eric Byres
Schneider Electric issued a security notification last month regarding their Communications and Battery Monitoring devices for their Conext Solar Energy Monitoring Systems. It seems that these products had been shipped with malware-infected USB drives.
Bravo to Schneider Electric for coming clean with their customers and explaining how to deal with the situation. Happily, Schneider notes the infected files won’t affect the devices themselves and the particular malware is easy to detect and remove by common virus scanning tools.
If all of Schneider’s customers read these alerts, this should remain a minor affair. But that’s a pretty big assumption.
Because of the serpentine nature of ICS distribution channels, I suspect no one in the world knows if the Schneider notice is getting to the people who are hands-on with the Conext product. It could be sitting in some purchasing manager’s inbox, never to be forwarded to the field technicians; or languishing in the mail room of an engineering firm long on to another client. Clearly, vendors and asset owners need better methods of sharing urgent security notices.
But what is especially interesting is the thumb drives were not infected at Schneider’s facilities. They were infected via a third-party supplier during the manufacturing process. Like all major ICS vendors, the supply chain for Schneider hardware, software (and even the media upon which it is shipped) is exposed to many hands.
This situation highlights an alarming reality in the ICS world. Just because a digital file comes from a trusted vendor doesn’t mean you can trust all the other companies that touched that file.
Who knows which “third-party supplier’s facility” was involved in contaminating those USB drives?? Was it the USB manufacturer… or a duplication company… or even a graphics company who added some branding? Schneider Electric no doubt will be re-thinking that relationship, but the fact remains they have to work with third parties to get their products to market.
The worrisome question is, what other ICS vendors use that same third-party supplier? How widespread is the infection? It seems unlikely Schneider Electric is this supplier’s only customer. Naming and shaming the supplier may be fraught with legal consequences (or perhaps they are still tracking down the specific vendor) so Schneider has remained silent for now on the source of the malware. That means all the other vendors out there and their customers may be exposed as well. Or not. We don’t know – and that is a problem.
One hopes if other vendors have detected issues with their USB drives, they will follow Schneider Electric’s lead and issue prompt alerts. Some vendors are better than others at transparency and there will likely be some who choose to lay low instead to avoid bad publicity. It is a pity because vendors like Schneider are as much a victim in this scenario as the end users.
Along those lines, there is an answer to the issue via a platform for ICS asset owners and vendors that offers an ecosystem of trust where they can verify software of, let’s call it “complicated origin” and ensure it hasn’t been tampered with before they install it.
Eric Byres is the chief executive at software security validation provider, aDolus. This is an excerpt from an article that originally published on the aDolus blog.