The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

Supply Chain Cyber Attacks — A Threat to Watch for in 2021

image credit: © Kittipong Jirasukhanont | Dreamstime.com
Eric Byres's picture
CEO aDolus Technology Inc.

Eric Byres (PEng, ISA Fellow) is an expert in the field of SCADA/ICS and IIoT security. Experienced in controls engineering, security research and corporate management, he offers a unique blend...

  • Member since 2020
  • 4 items added with 2,070 views
  • Feb 9, 2021 4:43 am GMT
  • 2072 views

This item is part of the Special Issue - 2021-01 - State of the Industry, click here for more

In late-December cyber attackers managed to infiltrate multiple branches of the US government, the US military, and most of the Fortune 500 companies. Known in the press as the SolarWinds or SUNBURST attack, over 18,000 companies were affected. According to reports, there are electric utilities using SolarWinds’ compromised software, but it is not yet clear if the embedded malware has crossed from enterprise systems over to grid operations.

Your access to Member Features is limited.

This attack was what is known as a software supply chain attack. The attackers go after their intended victim by targeting one of their (hopefully less secure) suppliers. It’s sneaky, it’s becoming more common, and it’s a line of attack all energy companies need to be preparing for.

The SolarWinds attack involved the insertion of malware directly into SolarWinds’ Orion network monitoring and management software. SolarWinds then shipped this infected software to its customers, who believing it was tested and safe to use, installed it on servers deep in their operations. Roughly two weeks after it was installed on a server, the malware woke up and called home, giving the attackers full control of the server and the ability to start infecting other equipment on the customer’s network.

It was a clever and subtle (and widely regarded as state-sponsored) infiltration: the modifications to the software were hard to detect, the infected package was signed with a valid SolarWinds certificate, and when deployed, the malware delayed for several weeks before calling back to its command-and-control server. 

In the future, energy companies can expect more cyber adversaries to forgo frontal assaults in favor of supply chain attacks. Unfortunately, if you are looking for a silver bullet to protect your utility from this kind of attack, you’ll be disappointed; 99.9% of the security tools currently available can’t detect supply chain attacks. But the absence of an easy solution doesn't mean there aren’t lessons to be learned from the attack. Plus there may even be a silver lining. So here are some predictions to consider about future cyber risks to the power industry and some reasons for optimism.

First, these attacks are not going to stop in 2021; if anything, they will increase in number and severity.  History backs up this observation. In 2014, we saw a similar attack against European energy and pharmaceutical companies. Known as the Dragonfly attacks, they allowed the attackers (likely associated with the current SolarWinds attackers, if not the same people) to infiltrate hundreds of industrial plants by infecting software from three European Industrial Control Systems (ICS) product vendors. Back in November, we saw South Korea security software users hit in a supply chain attack using trojanized software and, like the SolarWinds incident, also involved signed code. And going way back to the king of ICS cyber attacks, Stuxnet was (in part) a software supply chain attack using stolen certificates. 

The point is, these attacks are nothing new and are even getting worse. According to the report 2020 State of the Software Supply Chain, supply chain attacks surged in 2020, up 430% in the past 12 months. And it is no surprise: researchers at the internet security company ESET stated; "Attackers are particularly interested in supply-chain attacks, because they allow them to covertly deploy malware on many computers at the same time.”

The second prediction is that the industry will finally realize that software code signing on its own won’t help against software supply chain attacks. In most of the previous incidents, the attackers signed their malicious code with a completely valid certificate. It seems the attackers likely penetrated the supplier’s software development teams and stole the signing keys. In the Korean attacks, the bad guys created phony companies (including a US branch of a Korean company) and used those companies’ keys to sign the code. This second approach is easier and almost as effective, because most computer systems don’t bother to check the quality of the signer.

The third prediction is that software providers serving critical infrastructure will start tightening up their product’s communications services. SolarWinds’ Orion product is for network monitoring and is also used for security purposes by many. If you check the list of TCP ports needed for SolarWinds products to operate, you’ll see hundreds of them. And every single one of those connections broadens the attack surface. In this case, the attackers didn’t get into their victim’s system via all those communications services, but they sure did use them to get out to call home. Orion might be great for network monitoring, but its design introduces a lot of unnecessary risks. 

Now, it is not that code signing or network monitoring are ineffective. Indeed, both are absolutely critical tools in your cyber-defence toolbox. But any tool is limited when used all on its own in isolation.

The fourth prediction is rising calls for some method to coordinate the information about the software packages used in critical systems. Say, for example, your supplier provides you with a Software Bill of Materials (SBOM) so that you know all the components in a software package; you should also be checking if those components are signed and by whom. If you run a traffic analysis service on your network and it detects a software package being transferred, you need to understand any potential risk that software is introducing. And if the reputation of that software changes for any reason, you need to know that immediately. The demand for this kind of service is going to grow in 2021, as will cooperation on threats and vulnerabilities in software that spans multiple organizations across multiple industries. 

The final—and biggest—prediction is that suppliers are going to feel the pain more from supply chain attacks, and as a result, start to take action to improve the security of their products. 

While previous cybersecurity attacks have created an abundance of news about the targeted company or product, followed by a brief negative market reaction, these events rarely resulted in any long term improvements to their cybersecurity posture. For example, analysis over the last few years on the impact of breaches on stock price shows that share prices typically, and quickly, recover within one month of the disclosure. In other words, for the executive management of most companies, until recently having a security event has been a temporary inconvenience without any serious financial consequences.  

This is because the victims of a security breach are often not the actual purchaser of the service. For example, when Equifax got hacked and exposed your data, you had no ability to stop your data from being collected by Equifax — that was up to your bank. You personally have no impact on Equifax's bottom line. 

This time around, things will be different. Because it is a software supply chain attack, it is SolarWinds' customers who are getting hurt. The financial impact is hitting closer to where the responsibility and budget for good security reside. And those customers can cancel purchase orders when they feel the pain.

This appears to be the case with SolarWinds: the pain isn’t just being felt by their customers; their sales are taking a hit. During the December 18 US DHS CISA briefing, the DHS CISA recommended organizations fully deactivate vulnerable SolarWinds Orion products for the foreseeable future:

A startling number of large-entity CISOs on the call stated they have no plans to ever reactivate SolarWinds products. Attendees were asking for recommendations from DHS on alternative products. There was even a SolarWinds partner who sells into the US Government requesting a timeline when he could resume sales efforts. DHS declined to answer that. 

After SolarWinds, breaches are no longer going to get swept under the rug after media attention has cooled off. This attack is different because it was a software supply chain attack and the people feeling the pain aren’t going to forget about it. Vendors selling software products now see they need to retain the trust of their sales partners and their end users. Each vendor's reputation—and by extension their bottom line— depends on it

Eric Byres's picture
Thank Eric for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Feb 9, 2021

Now, it is not that code signing or network monitoring are ineffective. Indeed, both are absolutely critical tools in your cyber-defence toolbox. But any tool is limited when used all on its own in isolation.

Do you think this might highlight an overall shortsightedness? E.g., a company more looks at cybersecurity as a punchlist item to be 'done' and move on, whereas the reality is that cybersecurity is an ongoing long-game and you need to be constantly moving and not consider the box checked off?

Eric Byres's picture
Eric Byres on Feb 12, 2021

Hi Matt

I think there are several reasons.

Certainly, the reason you proposed is a common cause, especially in the regulated industries like utilities, where the true (but unstated) goal of a program can be to avoid fines, not secure systems. I often find the functional maturity of equivalent-sized firm's security programs in non-regulated industries like oil and gas to be higher. This is because the board is pushing the CISO to demonstrably reduce security risk, not compliance risk and the CISO can adjust his/her response to cyber threats according to what the team is seeing in the field.

Another reason is that some technologies are too complex to be used without supporting tools. Take code signing as an example. According to an analysis by TrendMicro:

"more malicious software appears to be signed than legitimate or benign apps (66% versus 30.7%)... This shows that cybercriminals commonly provide software that is signed correctly, therefore running and bypassing code signing validations."

Many companies (and security tool developers) take code signing certificates at face value, not realizing that what matters is who signed them, not if they were signed. That is like airport security accepting your passport without opening it to confirm your photo and details.

The final reason is the one I alluded to in my article.  Too many security tools are used in isolation and good correlation between information and event indicators is poor. That is the core objective of the FACT program that I run - correlation of data from multiple sources to build an overall trust score for the software supply chain.

 

Matt Chester's picture
Matt Chester on Feb 12, 2021

Very helpful-- thanks for your reply and follow up, Eric!

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »