SolarWinds Orion: The Weaponization of a Network Management System
- Jan 13, 2021 6:45 pm GMTJan 13, 2021 6:55 pm GMT
- 196 views
The SolarWinds Orion platform is essentially a SCADA system for network management. Almost all guidance on addressing SolarWinds has focused on IT or Operational Technology (OT) networks. As an example, CISA released Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise providing guidance for networks. However, the SolarWinds attack has demonstrated that Network Management Systems (NMS) are ideal cyberattack targets for devices. NMS consoles are present in most data centers, network operations centers, utility and energy control rooms, etc., which provides cyber attackers access to critical data and/or operations. NMS platforms can monitor and control virtually any network, control system, or IoT device within their network reach. NMS platforms and devices are used by control system/building control suppliers and system integrators as well as control system/building control system end-users. Potentially affected systems include not just servers and networks but also critical power systems, cooling systems, and other control systems. SNMP also monitors Ethernet switches which are used in all OT networks. Additionally, there are minimal control system cyber forensics at the device level.
NMS platforms use the Simple Network Management Protocol (SNMP) as their means of communicating to the broad range of products they monitor and control. As pointed out previously (https://www.controlglobal.com/blogs/unfettered/the-solarwinds-hack-can-directly-affect-control-systems), well-researched studies have shown that SNMP is highly vulnerable to cyberattack. The most recent version of SNMP is now nearly 20 years old and, communicating with mission critical systems using an insecure 20-year-old protocol has been a disaster waiting to happen. The Russians have shown skill in gaining control over SNMP devices as they demonstrated in the 2015 Ukrainian power grid attack where they initiated this attack by compromising the Uninterruptible Power Supply (UPS) via its SNMP communications card.
NMS platforms are ubiquitous in facilities today. These systems are offered by most vendors of networking equipment, from very small players up to the largest network system vendors. The SolarWinds hack demonstrated that simply placing these units behind a firewall is not enough to protect them or to protect the devices they manage.
Unfortunately, some organizations without providing even the most basic cyber protection for their NMS systems have placed them directly on Internet connections where they are openly available. While some may assume that sites with Internet-exposed NMS systems are located only at small company sites, this is not the case. A number of large companies and organizations also have their NMS viewable on the Internet. Hence, both large and small enterprises are vulnerable to discovery and attack.
It doesn’t require an NMS to control an SNMP device. Because logins for SNMP devices typically use universal names such as: “public” and “private”, a cyber attacker need only search for mission critical SNMP control system devices directly on the Internet. Using an IoT search engine, more than 100,000 UPS/Power Distribution Units (PDUs), 50,000 Battery Monitoring Systems, and 100,000 Building Management Systems at critical facilities are viewable on the Internet. Many of these were secured only with a login and password via HTTP. This is significant because many of these systems are mission critical to their facilities. For example, UPSs are used in a wide variety of manufacturing plants, data centers, and commercial buildings. UPSs represent a single-point-of-failure in these mission critical systems and many use SNMP communications cards manufactured in China.
Given the level of detail and planning it took to carry-out and simultaneously hide the SolarWinds attacks at multiple sites, it would be expected that many SNMP devices have already been compromised. It seems likely that some, and quite possibly many of the hundreds of thousands of systems which are viewable on the Internet have already been compromised. For example, there have been a significant number of recent data center outages without adequate explanations that have left their customers wondering about the true cause. Many of these events may be unintentional cyber incidents while some may be cyberattacks as noted in https://www.controlglobal.com/blogs/unfettered/data-centers-have-been-damaged-and-they-are-not-being-adequately-cyber-secured/.
The significant number of NMS devices which are reachable online illustrates there is a cavalier attitude toward cyberattacks against mission critical systems. Yet, SNMP is an ideal protocol to be weaponized for cyberattacks and will continue to be used until users employ appropriate measures to secure their critical SNMP systems. There are control system-specific technologies that can be developed to secure SNMP control system devices.