Supply Chain Issues with Energy Sector ICS Software

ABSTRACT

Energy sector industrial control systems (ICS) have been the subject of a number of high profile attacks in recent years. While these attacks did not take advantage of the supply chain, many of the same effects could have been achieved by attacking the supply chain. Energy sector ICS software has many of the same issues as does traditional IT software: it contains exploitable bugs and also must be updated through a software supply chain. A recent assessment of ICS safety systems showed that this supply chain is highly vulnerable to attack. Furthermore, ICS attacks, if successful, have the potential for serious and potentially catastrophic real-world consequences. Mitigative technology solutions, operational procedures, and training are needed to secure this industry.    

BIO

Laura Tinnel is a Senior Computer Scientist at SRI International. Ms. Tinnel was the technical lead for LOGIIC Project 12 and the lead author of LOGIIC Project 12: Safety Instrumentation and Management. Ms. Tinnel has 34 years of experience spanning information technology (IT) and cybersecurity of IT systems, networks, and mixed IT and embedded systems, such as those used in the electric power and the oil and gas sectors. In the last 21 years, she has concentrated in secure architectures, experimentation, evaluations, and testing. She works with stakeholders, technology developers, and expert red teams to plan and conduct rigorous adversary-minded evaluations that illuminate the efficacy of and gaps in attack countermeasures, and to refine system designs to be more resilient to attack. This work includes leading live red-on-blue exercises for government-sponsored research efforts. Previously, Ms. Tinnel was a principal investigator (PI) for and a lead author on the NSF-funded 2015 report, Cybersecurity Experimentation of the Future (CEF): Catalyzing a New Generation of Experimental Cybersecurity Research. She presently serves on the USENIX Security program committee, the Learning from Authoritative Security Experiment Results (LASER) workshop organizing committee, and the Cyber Security Experimentation and Test (CSET) workshop program committee.