I’m sure many of you have been spammed by an email from TDI about a “NERC CIP Cyber Asset Alert”. I personally received three alert emails plus a blog spam. We get a lot of this type of material, but this one topped anything we have received lately in pure FUD and hype to promote a product.
The issue they raise is vulnerabilities in “service processors” such as iLO, IPMI, or SSP. Service processors are often secondary processors in systems for basic management such as rebooting, shutdown, hardware performance monitoring and BIOS configuration. They are correct that there is little authentication or logging on service processors, similar to the situation we have today with PLC’s and other field devices.
The security approach is the same as any other. If not used, disable or make unavailable – – or since many service processors use a second, dedicated NIC port, just don’t use that port. If used, make sure it is actually needed. If needed, limit access [perhaps a service processor VLAN] and secure the best way possible and verify you are willing to accept the associated risk. We have seen a couple of asset owners use these service processors, but most do not so it is far from a widespread problem in control systems.
The tie to NERC CIP and the ALERT are what is offensive. Just because a system supports a routable protocol does not make it a CIP critical cyber asset. Also the logging requirements they mention in CIP-005 are requirements at the electronic security perimeter, not on each individual Critical Cyber Asset. Lastly even if a critical cyber asset used a service processor it is not clear or certain that the TDI type product would be required to be compliant with NERC CIP. We have enough real problems reducing risk to an acceptable level. This would be easily handled and very low in most asset owners priority list.
TDI may have fine products, but they sure missed the mark on marketing – – at least for me.
One final comment – it appears that SANS is complicit in this effort based on webcasts, email and research. TDI’s technology was a topic of a recent SANS webcast, which are commercials paid for by the vendor, publicized via email blasts. After that SANS announced the seriousness of this problem and $20K in research funds on this topic. Did TDI provide the money for this research? There is nothing wrong with any of this, but at the SCADA summits Alan Paller throws off such “a vendors are evil, profit hungry” vibe and SANS pretends to be pure. The double standard and lack of transparency has always bothered me.