No magic bullet for supply chain attacks, yet

Supply chain attacks in interconnected industrial environments are on the increase giving hackers, cyber-terrorists, or enemy state-sponsored cyber attackers access to critical infrastructure and operational technology (OT) environments, apart from accessing company data and gathering confidential information. The critical difference is that companies try to manage the security of their infrastructure, a strategy that is often difficult to extrapolate to supply chains because they belong to third parties, or are open source. 

The problem is getting worse as malicious cyber attackers have repeatedly highlighted that they can access the nation’s critical infrastructure, power grid systems, water treatment plant controls, medical devices, and other industrial control systems (ICS) that depend on software with complex and opaque supply chains that utilize third-party, proprietary, and open source components. 

Last December, FireEye discovered a supply chain attack “trojanizing” SolarWinds Orion business software updates to distribute malware that the security firm called SUNBURST. The hackers gained access to victims using the trojanized updates to SolarWinds Orion IT monitoring and management software, allowing an adversary to monitor network traffic and compromise systems, which led to massive disruptions of their operations. The sophistication, breadth, and persistence of the SolarWinds attack created ripples across sectors, as the campaign was carried out by skilled attacker(s) with significant operational security knowledge.

Another global cybersecurity incident struck last month, in which cyber attackers executed ransomware attacks leveraging a vulnerability in the software of Kaseya Virtual System Administrator (VSA) on-premises products, against managed service providers (MSPs) and their downstream customers. The Kaseya supply chain attack involved threat actors using REvil (aka Sodinokibi) ransomware that affected thousands of organizations, either directly or indirectly involved with Kaseya.

Disruptions caused by supply chain attacks often lead to downstream financial impacts, as the cybersecurity incident brings about increased downtime, disruption of business processes leading to canceled orders, financial penalties, and missed deliveries, in addition to other downstream impacts. Apart from the initial compromise, cyber attackers may strike again with post-compromise activity including lateral movement and data theft, at times.

“​​The number one challenge we’re hearing is that organizations simply don’t know what software they’re running,” Eric Byres, founder and chief technology officer at aDolus, told Industrial Cyber. “For example, the Canadian Security Agency reported that some critical infrastructure companies discovered that they were using SolarWinds products 3 months after the disclosure of the attack. Suppliers of OT software were using SolarWinds as a component and this wasn’t being disclosed to asset owners.”

“Similarly, we see currently-shipping software, such as remote terminal unit (RTU) firmware, that contains obsolete open source components that are replete with vulnerabilities. So it’s important to know what’s buried inside your OT software,” Byres added.

“The biggest challenge is a lack of visibility on what software is actually in their environment. Yes, getting comprehensive SBOMs is critical. But right now, they don’t even know what software to get a BOM on,” John Livingston, CEO of Verve Industrial, told Industrial Cyber.

“Too many organizations rely on manual data/excel sheets which only list the hardware and maybe the OS or firmware. Others rely on network traffic, which will only tell you what software is communicating on the wire. These organizations need true OT systems endpoint management to identify all of the software on the systems that may be at risk.”

“ICS OEMs are the crown jewels that need the most protection. They integrate the most basic components that are assembled to form an entire ICS system,” Sachin Shah, CTO for OT at Armis, told Industrial Cyber. “In the age of converged ecosystems, technology manifestos, REST API, and application marketplaces, supply chain responsiveness is the key to resilience. Data-driven and connected IT/OT convergence of the economy requires security leadership to extend beyond enterprise security,” he added.

Industrial cybersecurity company OTORIO believes that 90 percent of successful OT attacks can be stopped with proper cyber hygiene. “This entails: mapping your assets and understanding their impact on production; identifying gaps and exposures and taking steps to address them; applying zero-trust mechanisms; and establishing, rolling out and enforcing security policies and best practices,” Yair Attar, CTO and co-founder of OTORIO, told Industrial Cyber.

To better secure their industrial and manufacturing organizations from supply chain attacks, these enterprises must put in place benchmarks on assessing and auditing their supply chain partners and providers while complying with present-day government rules and regulations. Organizations need to take steps that conduct supply chain security assessments that estimate what elements of risk the organization has established as most relevant to its domains, arrive at appropriate processes and remedies to protect from supply chain attacks while bringing perceived operational risks in line with appropriate supply chain security practices.  

“The provision of Software Bill of Materials (SBOMs) as required in Executive Order 14028 and other regulatory initiatives is fundamental to assessing and auditing supply chain partners,” aDolus’ Byres said. “If you don’t know what software you’re using, you definitely don’t know your software suppliers (and their suppliers). For example, because we produce SBOMs, we are getting a lot of requests for help identifying the Country of Origin for key software components in OT products,” he added.

The adoption of supply chain security assessments has been slow-paced. “In the North American power industry, CIP-013 has created a series of new requirements which are present in any utility with NERC medium or high assets. Beyond this, the movement has been very slow,” said Verve Industrial’s Livingston.

The U.S government has taken several decisive steps to modernize, protect and secure US critical infrastructure and its approach to cybersecurity by increasing visibility into threats, with an eye on curbing supply chain attacks. The administration has also worked towards strengthening computer systems, whether they are cloud-based, on-premises, or hybrid, in addition to protecting the IT systems that process data, and the OT environments that monitor and control physical processes, devices, and infrastructure.

The draft of NIST SP 800-161, Revision 1 has updated and expanded the scope of supply chain risk management practices in OT environments. Other initiatives have included a voluntary ICS plan that envisages collaboration between the federal government and the critical infrastructure community to significantly improve the security of the critical systems and a national security memorandum that will enhance security for critical infrastructure control systems focused on building cybersecurity and resilience of these systems. 

Organizations often fail to adequately carry out supply chain visibility, which helps to gather information about supply chain operations, improve efficiency, reduce risk, boost customer satisfaction and increase profits. Large enterprises can strengthen their transparency by adopting various measures, including improved planning, greater insights, and supply chain execution delivered by supply chain management software.

“NIST SP 800-161 is only one of many regulatory and standards pressures bearing down on OT vendors and operators,” said Byres. “In the power industry, you have NERC CIP-013 mandating supply chain security processes by energy suppliers (and issuing fines for non-compliance). From the federal government, you have Executive Order 14028 with sweeping supply chain requirements, followed by a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” he added.

“At this point, satisfying these new rules is a work in progress for most companies. Leaders in this space are demanding SBOMs from their suppliers so they can demonstrate to their customers and regulators that they have a supply chain security strategy,” Byres added.

“Information, communications, and operational technology (ICT/OT) users rely on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions,” according to Shah. “This ecosystem is composed of various entities with multiple tiers of outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices, all of which interact to design, manufacture, distribute, deploy, use, maintain, dispose of, and otherwise manage products and services,” he added.

“Adoption to standards such as SP800-161 and putting those frameworks in practice is an entirely different discussion. If those standards turn into the formation of policy and enforcement, it will drive the adoption quicker,” Shah said.

OTORIO identified the need to recognize that third parties will continue to play a significant role in running the OT environment for maintenance, monitoring, and performance optimization. “That being said, we are already seeing manufacturers rise up to the challenge of supply-chain security,” Attar said.

“It is a major challenge to keep pace with the rising number of vulnerabilities and supply chain threats,” Byres said. “We’ve seen it estimated that supply chain attacks are up 430% in the past year and it’s not surprising: supply chain attacks have a great ROI for the perpetrators. Fortunately, evolving standards like VEX (Vulnerability Exploitability eXchange) are helping organizations narrow in on vulnerabilities that really pose a risk to their systems and prioritize their efforts,” he added.

“The overall level of supply chain security has not moved much in the past 12 months, regardless of the Executive Order,” according to Livingston of Verve Industrial. “The reality is these things take time to progress. First comes awareness, which is growing, but is still very low. Then comes identifying the real risk to them, evaluating which actions to take, and finally, taking actions. We would expect to see improvements at any scalable level starting by mid-2022.”

The Executive Order recommended modernizing the federal government’s approach to cybersecurity by adopting a ‘zero trust’ model that would increase visibility into threats while protecting privacy and civil liberties. Organizations need greater visibility into cyber risks related to their supply chains and ecosystem partners, including suppliers to third-party vendors, to have complete knowledge of the entire risk surface.

“Zero trust technology only works when you can clearly identify the parties communicating in a system,” Byres, founder and chief technology officer at aDolus, said. “For example, in an ideal system, a programmable logic controller (PLC) could assume zero-trust of all other devices on the OT network, except for a few cryptographically identified operator terminals. The challenge with Zero Trust concepts in the supply chain is that, until now, the industry has lacked a reliable way to confirm the identity and provenance of software (or its provider),” he added.

“Companies should aspire to zero trust – but we need to understand that in OT environments it will never be possible to achieve it 100%,” according to OTORIO’s Attar.

“OT environments are multi-generational and host a huge amount of devices. It will not be viable to ask every controller to constantly run verification and authentication processes,” he added. 

“In OT, zero trust must be mainly applied to remote access connections – because here lies the most crucial risk. Without proper measures, once inside the OT environment, a user can have full access to the entire environment,” Attar said. “So in the OT, zero-trust should be used to grant outsiders (e.g. 3rd party service providers) access only to specific and relevant assets, in specific time frames, using specific protocols, etc.,”

“The first thing we have to do is define what ‘zero-trust’ means. Right now, it is too often used as marketing speak that can mean whatever the vendor wants it to mean,” according to Livingston of Verve Industrial.

“If we define it strictly as ‘no operator is trusted to do anything on a device until some central authority approves it,’ then this is likely a very long way off for most critical infrastructure,” he added. “This is partly a technical issue of ICS systems, but mostly it’s a risk management issue. If an operator needed the approval to shut down various systems, it could lead to catastrophe in case of emergency. Think of the BP offshore rig made famous in the movie Deepwater Horizon,” Livingston added.

Shah said that implementing a Zero Trust framework in IT/OT is a great concept if it can be applied appropriately, but it would require a large investment ensuring the OEMs, third and fourth-party suppliers can provide these capabilities.

“The initial step in adopting Zero Trust is a relative cyber security investment that appeals to a consistent policy practice of ‘never trust, always verify,’” according to Shah. “This means protecting every wired and wireless network node to safeguard that all users, apps, software, hardware, and edge devices are validated. Arguably, the backdrop is complex — but there are consistent security practices that yield protection across all OT systems,” he concluded.