Unconfirmed vulnerabilities are not usually a big issue, but when one occurs like Supermicro, plant management will ask a simple question: “Do we have an issue or not?”
Having been on the receiving end of this blunt exchange, I realize it can be painful and embarrassing to communicate, “I do not know right now.” This type of exchange can play out day to day or week to week due to any given company’s leadership becoming aware of cybersecurity-related news.
It has been my experience that three fundamental steps can help clarify the issue. To better define this, let’s look at a relevant example of the management of an unconfirmed vulnerability. Below is a working example based on the Bloomberg report on the unconfirmed Supermicro vulnerability.
(Please note, this blog post is in no way intended to be viewed as an official recommendation. The purpose is to provide an example of how to manage the unconfirmed vulnerability with a plant manager from a communications standpoint.)
Address the fundamentals of the problem by defining the background and status.
In this example, here is what we know:
As reported by Bloomberg Businessweek on October 4, 2018, the origins of this article date back to 2015.
“The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources. Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”
Address the verification of the media report and summarize the timeline of activity.
In this example, here is what we know:
|Bloomberg first reported the issue
|Amazon, Apple, and Supermicro refute the claims in the Bloomberg report
US and UK authorities state:
“Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.”
Bloomberg reported additional details, however, with the following text providing the first government acknowledgment:
“In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been ‘aware of an issue’ connected to Supermicro products since June. It couldn’t confirm the details of Bloomberg's reporting, a statement from the authority said, but it has recently been in dialogue with partners over the issue.”
Provide plant management a technically sound course of action based on what you know at the time of the review.
1. What We Know
- Media reports suggest a serious vulnerability.
- If true, it could impact our server class machines along with other computers.
2. To Date:
- Only a single government agency states they are aware of this and are working with partners.
3. Recommended Actions:
- Monitor DHS and NIST website for confirmation and revisit if there is actual verification by DHS.
- Reach out to our DCS manufacturer technical support teams to ensure they are aware and tracking the reports.
- Ask manufacturer technical support teams how to perform a quality assurance check to determine if our product is something other than what it should be.
Again, this is not an official recommendation. Owners and operators have a responsibility to review the threat landscape and make judgments based on a risk/consequences analysis. They must remain vigilant to the media reports.
Authors: H. Thomas, D. Gunter, M. Medoff, R. Michalsky