Unexplained electronic components have allegedly been found in imported equipment for Denmark’s energy supply network this week, according to industry group Green Power Denmark, who have confirmed that an investigation is underway.
“It concerns printed circuit boards that were supposed to be part of components for the energy supply,” said Jorgen Christensen, technical director at Green Power Denmark. He continued, “We don’t know how critical it is or whether there are bad intentions behind it.”
Christensen declined to specify which country the equipment originated from, who was conducting the investigation or to elaborate on the components’ capabilities. Christensen said the components were discovered recently during a routine examination of circuit boards that were due to be installed in energy supply equipment. The circuit boards might have been designed for multiple purposes, which could explain the presence of additional components, but Christensen emphasised they should not be included in equipment destined for energy infrastructure.
“It’s possible the supplier had no malicious intent. We can’t say at this point, but that doesn’t change the fact that these components shouldn’t be there,” Christensen said.
The revelation from Denmark follows on recent news that US energy officials allegedly recently found rogue communication devices in Chinese-made solar inverters and batteries that could potentially bypass firewalls and destabilise power grids.
News in the Channel sought commentary and insights from the industry. UC Advanced readers may recall the article John Moor, Managing Director of the IoT Security Foundation, commented on the PSTI (Product Security and Telecommunications Infrastructure) Act in issue#15.
Moor commented, “Whilst there have been historical concerns around supply chains, these have heightened in recent years as connectivity, the Internet of Things and global supply chains have grown at a rapid rate. This means that the threat can be remote and the attack surface – i.e. where the attack can originate from, is large. This puts a duty of care on all players in the supply chain, and across the operating life of connected systems, to ensure they take reasonable and precautionary steps to protect assets, networks and customers.”
Moor continued, “One area we have been focussed on at IoTSF is the use of bills of materials (BoMs) as a way to assure the provenance of the supply chain and also the integrity of operational technology (OT). We apply the concept of BoMs more broadly in our interest than classic hardware elements – we see significant utility in Software BoM’s (SBoMs) and increasingly in a broader cyber setting – especially AI. We have reports on our website on IoT supply chain and SBoMs. In more recent times we have been promoting AI BoMs – specifically our work in Trustable AI BoMs (TAIBOM) which is showing great promise across many applications. The threats continue to emerge and we must keep abreast of them hence awareness and education are key.”
The Internet of Things Security Foundation (IoTSF) is a not-for-profit, global membership association working to make the connected world ever-more secure.
The IoTSF is hosting its 11th annual conference in London on October 30th and this year’s themes are Resilient IoT and Trustable AI. The conference aims to help product manufacturers and system operators better understand how to protect businesses, find more details here: https://www.iotsf-ai.org.
The Internet of Things Security Foundation (IoTSF) recommends the following information:
- Software Bill of Materials for IoT and OT Devices: https://iotsecurityfoundation.org/wp-content/uploads/2023/02/RELEASE-2022-02-19-IoTSF-SBOM-whitepaper-v1-1-0.pdf
- Securing the IoT Supply Chain: https://iotsecurityfoundation.org/wp-content/uploads/2022/06/RELEASE-JUNE-2022-IoTSF-supply-chain-whitepaper-v5.pdf
- Trustable AI BoM: https://taibom.org
