Industrial Supply Chain Matryoshka Risk

0b2d3734 vendor matryoshka

The corollary to “I stand on the shoulder of giants” is “There’s a lot to know and understand inside the black box”. Last week we had a critical Palo Alto vulnerability announced. But, that code and trouble is also renamed and embedded in other things, things which often have a longer life. In this case a Siemens RUGGEDCOM APE1808 gets the security advisory. This comes from a partnership Siemens and Palo Alto did to “Protect Critical Infrastructure“. In this case, a rugged “PC” from Siemens, some software from Microsoft, some VM’s, some Palo Alto NGFW.

So here, some organisations will have read the big-news-headline “Palo Alto NGFW causes world ending issues”, and, said, “there but for the grace of god go I, someone else’s problem”. And, of course, they have the same tech in a different label. In this case, a type of vendor Matryoshka doll.

This nesting of code is a a very deep stack. To help unravel it, the industry created the concept of a Software Bill of Materials (SBOM). These suddenly came to light again in a 2021 US Executive Orderproviding a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;

At Agilicus, we use the SLSA attestation model to show what went in to our software. But it becomes very complex when there is entire-product composition as we see here.

To make this particular case even more complex, the Siemens APE1808 device discussed is designed to be used by system integrators, hosting even more software in side. The risk models are both nested, and, might even have loops.

So in this case, an application hosting platform that you may have parked in your brain as “unimportant side quest application” could be viewed by attackers as “express onramp to lateral traversal”. In much the same way as some phishy cyber-criminals once used a fish-tank at a Vegas casino.

Matryoshka Dolls Trivia

History and Origin

  • Matryoshka dolls, also known as Russian nesting dolls, originated in the late 19th century in the village of Sergiev Posad, near Moscow, Russia.
  • The first matryoshka was carved by a woodworker named Vasily Zvyozdochkin and painted by artist Sergei Malyutin in 1890.
  • The dolls were inspired by Japanese “daruma” dolls, which were hollow and contained a smaller doll inside.

Design & Construction

  • Matryoshka dolls are traditionally made of linden wood, which is lightweight and easy to carve.
  • Each doll consists of a series of hollow, wooden figures that fit inside one another, from the largest to the smallest.
  • The outermost doll is typically a woman wearing a traditional Russian sarafan dress and a kerchief.
  • Each subsequent doll inside is progressively smaller and represents a different aspect of Russian culture, such as a child, a peasant, or a traditional craft.
  • The dolls are hand-painted with bright colors and intricate designs, often featuring floral patterns, scenes from Russian folklore, or other traditional motifs.

One thing is certain in my mind. Defence in Depth remains important. Rather than a single, infinitly strong firewall & VPN, we need to think about “they got in through the first layer, how to we slow, observe, protect” at each layer. And for this, Zero Trust remains part of the gold standard. In “Three Strategies To Help: Cisco ASA AnyConnect and WebVPN added to CISA Known Exploits” I give three simple tactics that have enduring value, and are uncorrelated to specific risks like the above. Give them a read and a try!