One year after SolarWinds attack, more needs to be done to boost cybersecurity in industrial sector

Exactly a year after the SolarWinds attack, when suspected nation-state hackers gained access to the networks, systems, and data of thousands of SolarWinds customers, it is a moment of reckoning for the cybersecurity sector, as it tries to prevent newer attacks; sometimes unsuccessfully.

The SolarWinds attack affected several organizations reporting breaches to their networks within a few days of each other. Security analysts filled in the gaps when they realized that the initial foothold into each of these companies was identical and caused by a Trojanized update to infrastructure monitoring and management platform, SolarWinds’ Orion. 

The discovery of the SolarWinds attack began on Dec. 8, 2020, when cybersecurity firm FireEye said that they had fallen victim to a nation-state attack. The FireEye security team reported their Red Team toolkit, containing applications used by ethical hackers in penetration tests, was stolen.

The SolarWinds attack turned out to be one of the largest supply chain attacks that cyber attackers exploited after merely placing the malicious code into a new batch of software distributed by SolarWinds as an update or patch. The incident had an immediate and potentially ongoing impact on approximately 18,000 customers, spread across multiple sectors.

The attack led to the industrial and manufacturing sector accepting the fact that with rising digital transformation and connected supply chains becoming global, new risks in terms of reliability and availability emerge, leading to the need to properly manage the supply chain, and work towards building cyber resilience. 

Pointing that the SolarWinds attack was a significant eye-opener for private, commercial, public, and government entities alike, cybersecurity expert Paul Veeneman said “that kind of visibility brought a concerted response at all levels of business and government.” 

Recovery from the incident will require organizations that had SolarWinds deployments to take a comprehensive approach to continuous management, monitoring, deployment controls, test environments, and code analysis, prior to production implementation, Veeneman told Industrial Cyber. “This is largely in part due to the invasive and embedded nature of the SolarWinds attack compromising vulnerabilities within the software lifecycle and absence of robust DevSecOps.”

“It is critical to highlight that recovery goes well beyond SolarWinds, sounding the alarm to all organizations that policy, process, and software and/or system lifecycle controls need to be in place, sponsored by boards and executive management, performed by administrators and practitioners, adhered to by all personnel, and under continuous review and improvement as not only part of a cyber security program, but also a cyber resilience, risk management, and mitigation program,” Veeneman said.

Concrete progress is arguable beyond the push for software bills of materials (SBOMs) and increased awareness about the risks incurred by products bought or inherited, Ron Brash, vice president of technical research and integrations at aDolus Technology, told Industrial Cyber. 

“Formally, supply chain security falls under the third-party risk umbrella and there has been an inkling of awareness on the topic. However, I suspect at the moment, realized risks are very similar to what they were before SolarWinds for the majority of organizations. I see many of those same organizations still struggling to identify their assets and protect exposed infrastructure,” he added.

The SolarWinds attacks did provide the critical infrastructure sector with an opportunity to realize the lack of cybersecurity and cyber resilience awareness, posture, and preparedness that allowed the exposure, compromise, of critical assets, resulting in exploited vulnerabilities.

The SolarWinds incident was not a typical frontal attack on critical systems, security boundary edge, or perimeter, Veeneman said. “This was a sophisticated insertion of malicious code into software updates that were downloaded and deployed by the administrators and operators of the on-premise SolarWinds systems…those individuals with the privileged and authorized access did all the work.” 

“There have been warning signs over the past decade with the ever-increasing scale of sophistication and impact of breaches and incidents, and only recently has attention been driven to Supply Chain Risk Management (SCRM) and Software Bill of Materials (SBOM) at a national level,” he added. 

Brash pointed out that most organizations now admit they are not infallible, peer reviews of code are not a panacea, and their assets or products could be used to attack another organization. “On the upside, we also learned that the groups responsible for SolarWinds did not have the operational capacity to attack every compromised host.  We also learned that the patches provided to “fix” the issue, did not remediate the core issue because the affected infrastructure (if an afflicted package was installed) was rarely in a state to discern whether it was compromised or not.” 

In most cases, a full teardown was required, Brash said. In addition, organizations also realized a complete redefinition of corporate policy was often necessary to decentralize asset management to reduce rapid cascading risks when the next SolarWinds-type event occurs, he added.

The SolarWinds incident changed how we view the industrial and information technology ends of manufacturing, Veeneman said. “Familiar to most these days are the discussions surrounding the domains of Information Technology (IT) and Operations Technology (OT). While the vast majority of OT or more specifically Industrial Control Systems (ICS), still functions with many of the open architecture systems, firmware, software, and protocols that have been in place for the past couple decades,” he added. 

There have been incremental innovations by vendors and manufacturers of ICS equipment in the marketplace, but generally, these components lack some of the basic authentication, authorization, and cyber security mechanisms, Veeneman added. 

Brash said that unfortunately, he believes that “end-user organizations swiftly refocused their procurement and third-party risk strategies (which is a good thing), but they chose to evaluate their suppliers on a periodic basis instead of expanding their security program for technical risk evaluation for current, and past assets.” 

Many products in their current asset portfolio and infrastructure implementations have backdoors, forgotten credentials or users, missing updates, and derelict or poorly maintained components, according to Brash. “So, the real lesson here is about organizations needing to tailor their risk towards reality and minimizing impacts,” he added. 

On the issue of whether the industrial and manufacturing sector has been able to put into place a ‘playbook’ that will help them better cope with such supply chain attacks in the future, Veeneman said that time will tell. “There is certainly a lot of positive momentum. The request and directive from the White House calling for the public-private partnership to address the cyber attacks and threats to critical infrastructure, industrial and manufacturing operations, and organizations has not gone unanswered. “ 

Aside from the notable leaders like Microsoft, Amazon, and Google, there are countless organizations within the cyber security, cyber resilience, and technology marketplace that have developed advanced and innovative solutions that can protect and secure critical systems within these OT production environments, requiring capabilities outside traditional IT security to ensure safety and reliability of the ICS systems and components that drive much of the nation’s manufacturing and critical infrastructure, according to Veeneman.

While there may not specifically be ‘the playbook,’ there is a starting point, spearheaded by CISA and other agencies, supported by the overwhelming amount of ICS and OT, and SCRM industry standards, compliance, and governance policy, process, and frameworks from both national and international organizations such as the International Society of Automation (ISA), the International Electrotechnical Commission (IEC), the National Institute of Standards and Technology (NIST), and the North American Electric Reliability Corporation (NERC) to name a few, Veeneman said. 

Brash said that in some instances, he believes “a far more structured strategy and corresponding capabilities has been considered, e.g. offshore drilling, aviation, agencies, and some sectors of government. But in other sectors, only those that are on the bleeding edge, or in fairly mature (or highly visible) industries are in a position to even begin the process to cope with these threats.” 

“The real work of re-organizing current infrastructures, mitigating risks in asset portfolios, and having the knowledge & procedures to limit impacts while responding is, ultimately, still evolving and highly fluid,” Brash added.

Moving over to the measures initiated by the federal government to mitigate and safeguard supply chain frameworks, one year after the SolarWinds attacks, Veeneman said that December 2020 and the time following was an interesting crossroads for the SolarWinds incident to take place. “Most significantly you had a change in the Executive Branch of government. New President, new policies, new directives, and changes at the White House precipitating some changes at the agency levels.  Many times this level of change can derail initiatives and progress.”  

However, there was a general consistency in focus that did not allow the critical state of affairs to become minimized or marginalized, Veeneman said. “What began with fact-finding and discovery, matured into Executive Orders with clear directives on cyber security, preparedness, resilience, and incident response. These directives became action and performance within agencies that are taking place every day,” he added. 

Brash sees the measures initiated by the federal government as necessary, slightly effective, but generally academic beyond putting in place the mechanisms to handle such a wide-scale alert/response capability.  

“The Biden XO for SBOMs are a necessary part of a security-focused response, and same with NERC CIP 013, but much more needs to be done beyond enumerating issues or adding procurement requirements,” according to Brash. Asset owners will need support beyond reporting incidents ASAP or bodies to evaluate the responses. OEMs will have a tough time retroactively providing updates, especially for code they don’t own, or for products they have acquired.”  

The government measures have indeed created a much-desired platform for increased awareness, but unfortunately, technology and ownership is a complicated discussion at such a late state in the game, Brash said. “So if we look at this as a staged marathon, we are still near the starting gate one-year post SolarWinds,” he added.