Do you think vulnerabilities below the operating system (in firmware, BIOS, drivers, etc.) should be a concern in your industry?

Significant concern for electric utilities as exploits aren’t just feasible, they been seen in industrial controls.

💯 should absolutely be a concern.

Our computing environments are very commodity driven. We set up contracts with the manufacturer and they deliver our servers and our desktops and laptops, because we buy so much volume. And it turns over every three or four years. And so when Spectre and Meltdown came out a couple of years ago our security team, we looked at each other and we're like, "Do you know what we're supposed to do? What are we doing here?" It turned out mostly to be a nonevent for us. And so I think from a security practitioner in a higher ed space, we have probably a thousand other things and not enough budget to do all of those things. We're just mostly struggling to keep our heads above the water and just doing the basics.

I think broadly it's an issue that doesn't get enough discussion because of all the other things above the operating system that we're all drowning in. In the context of a security company   like some  like CrowdStrike, or even a Cymatec, mcafee, zscaler, I'd be worrying about a this alot. I really do think it has substantial not only individual company or organization implications, but also societal implications when that gets weaponized in that way at some point. I just don't know when, but I imagine it in the near future. Imagine a ransomware at a firmware level, good luck recovering the system ever. And imagine that in a manufacturing environment, imagine a point of sale system, imagine it in the hospital.

I think it's very industry dependent, and that's okay. I think that's not necessarily a bad thing. And it depends on where you're talking about it too. Are you talking about IOT networks, which can potentially impact other people, where you are now becoming part of the problem? If you're having an IOT network and you're working on connected cars, you need to be thinking about this. You need to be worried about this. And I think that there are some solutions there. Maybe not bulletproof, but if you look at the Azure sphere or what Amazon is doing, you rely on somebody who has the expertise and the knowledge and the kind of the weight to do it. If you are Joe Schmoe Manufacturing, you should not be hiring IT people to build your own firmware. You're going to have a bad day. You should be relying on the experts, and it might cost you a little bit more.