There are two new serious security vulnerabilities out in the wild that affect everyone reading this article. You can read the background on Spectre (affects almost all semiconductors made by Intel, AMD, and others) and Meltdown (Intel, Qualcomm, and one type of ARM chip) but the big question for industrial users is how it will impact operations.
The short answer is: No one knows for sure. In theory, Meltdown allows “deep access” to kernel operations, which could affect everything from gateways to cloud servers. Spectre could afflict “all modern processors capable of keeping many instructions in flight” including smartphones. So far, no attacks have been observed in the wild, but we all know how that story goes. It’s only a matter of time before the baddies exploit the vulnerabilities.
In the meantime, industrial vendors have started to issue advisories and patches, especially for Meltdown (Spectre requires a complete redesign of the chip’s architecture, and fixes are apparently limited). Security Week has a rundown of statements and advisories from Rockwell, Siemens, Schneider Electric, ABB, and BD. Other patches and advisories include:
One of the biggest concerns about the fixes is the performance hit, widely reported to be 30% based on benchmarks. Industrial security expert and PPR regular Joe Weiss summed up the problem for industrial users:
“We have a lot of older systems and a lot of these older systems are very resource constrained. When you’re talking about possibly a 30 percent hit on performance, that can actually shut down many of our older legacy control systems. The cure could be much worse than the disease.”
Endpoint: Meltdown and Spectre are serious security vulnerabilities whose impact will be felt for many years to come. Reduced performance can take some older systems offline, a prospect that may force some users to upgrade their own systems. Infrastructure vendors know this, and will surely play up the FUD element to boost sales and maintenance contracts.This is an excerpt from a previous edition of the Priority Payload Report (PPR) newsletter.