08 Sep 2019 Where Do Your Bits Really Come From? – Eric Byres | Podcast Episode #18
Industrial security pioneer Eric Byres, CEO of aDolus, speaks to software supply chain trust issues and some of the technology his new venture aDolus Inc. is developing to help. Click PLAY
In this podcast Andrew Ginter talks to Eric Byres, about potential problems with the Software supply chain for Industrial sites. They asks how users can trust the firmware and software that they load into their industrial control systems.
Eric Byres shares two problems that concern users:
1. Counterfeit Software with embedded Trojans: Attackers use these to attack suppliers of Industrial Control System Hardware. By attacking one vendor they can attack hundreds of industrial sites. The site manager downloads the software once and installs many times resulting in malware deep in the control system.
2. The Software “Bill of Materials”: Software from a specific vendor may be made up of Software libraries (often legacy) and third party Software from other vendors. How does the site manager know what the product they want to install is made up of, and where all the chunks came from. If the software on the system is made up of components from many sources, they then need to track security updates for all of these software components. Having an actual list of the software components is valuable when vulnerability reports are published as the user can then protect themselves.
Andrew and Eric talk about some possible solutions to these problems for instance certificate chains; however, these have many limitations as explained in the podcast. Andrew and Eric then discuss the solution presented by aDolus who make a database of all the third party components and libraries that make up various software packages and validate installation packages.