This article is an attempt to explore some real issues that affect ICS software supply chain.Lets explore these issues that could have an effect on an ICS vendor or an asset owner. Allow me to focus on JavaScript npm and Python PyPI to demonstrate how software supply chain is a major issue for most. I’m assuming that those 2 programming languages exist in some or many ICS products. Open source philosophy is a bless for many of us who use the internet. There are plenty of open source projects that benefited us in technology and cyber security and ICS cyber security. The downside of open source that I see is the misuse of this concept intentionally or accidentally. There are platforms that host open source projects or manage open source packages (npm, PyPI, Linux distributions package managers …etc). The most famous platform is GitHub. As we know, there are risks of exposing your source code but I will focus on the concept of trusting that code and worse downloading the code without checking it. There could be a series of issues, like writing exploits for vulnerable code, exposing sensitive information or stealing a developer credentials that could lead to a code modification.
At the time of writing , there are 363,309 projects inside PyPI repository. There are also a huge number of Javascript packages (over 1.3 million) in the main npm registry .So what are the common issues of Javascript and python packages are and I’m sure they apply to other package managers:
- Deprecated package: no longer updated and maintained.
- Empty package: no code in a package.
- Malware inside a package.
- Troll package: a joke package.
- package squatting: a malicious package with a similar name to a legitimate package.
Supply chain security and Sbom are recently trending in ICS cyber security. Especially after it started to affect software companies and their vendors eg. SolarWinds and Log4j . Not to mention other cases and scenarios that are also major and other undisclosed cases. How many HMI, PLC or SCADA software used JavaScript or Python packages ? I will leave this for you to comment on. I’m just using JavaScript and Python as an example , the same applies to other programming languages. One of the issues of supply chain is that a single package may require many dependencies, with all these dependencies and updates that you are getting from trusting existing package managers, you may get a malicious update . So it’s a good practice for vendors to look at these issues and common malicious behaviors within their products and develop a framework on how to deal with it. For asset owners, I would recommend if they have employees who can read code to look at their products, ask vendors for a report or if they have SBOM. If your organization can afford a 3rd party that offers software supply chain security services, that could also help.