From: Ulrich Lang Sent: Friday, May 21, 2021 3:05 PM To: ElectricSystemEO Subject: [EXTERNAL] Comment for Ensuring the Continued Security of United States Critical Electric Infrastructure RFI Dear DOE, In response to the RFI "Ensuring the Continued Security of United States Critical Electric Infrastructure", ObjectSecurity LLC would like to offer the following comments: One major issue that is often overlooked with microelectronics Operational Technology (OT) today is that many devices are frequently "installed and forgotten" (from a security perspective at least). Those embedded devices in critical infrastructure and elsewhere are treated like machinery, while they in fact include a lot of computing parts. Often these devices have long lifetimes, are not patched, and are inherently vulnerable. Also, due to the unusual and diverse nature of OT devices (vs. traditional computers), vulnerability scans are difficult, costly and slow (usually done in test labs). Also, supply chain data (e.g. procurement/shipping) isn't automatically considered for vulnerability analysis of OT devices. To our knowledge, DOE has no current capability to bulk scan OT devices for vulnerabilities (firmware + hardware) in the field by non-experts. Such scanning needs to be done at scale to detect and mitigate vulnerabilities. Ultimately you cannot "outmanage" this problem away, at some point the scanning has to be done - and due to the nature of DOE's many devices in use, conventional approaches cannot scale. We are currently working with the Navy on an SBIR Phase II to address this, and DOE could benefit from this effort. Please contact me to discuss. Best, Ulrich P.S. Please contact me for further information, incl. nonpublic information I am happy to share. ---------------------------------------------------------------------------- Ulrich Lang, PhD CEO ObjectSecurity LLC, 1855 First Avenue, Suite 103, San Diego, CA 92101-2650 Tel. +1-650-515-3391 (reception), Fax +1-360-933-9591 ulrich-doe-rfi@objectsecurity.com, www.objectsecurity.com