What Industrial Control System Vulnerabilities Can Teach Us About Protecting the Supply Chain
Older technologies used in industrial and critical infrastructure leave the sector highly vulnerable to attack, but organizations can take steps to better protect themselves.
Over the past year, we saw many unpredictable challenges. To stay connected and keep things moving while adhering to social distancing restrictions, many organizations had to expedite their digital transformation initiatives. The industrial and critical infrastructure sectors are particularly vulnerable due to the older nature of the devices used in industrial control systems (ICS). Their increased attack surface leaves these organizations particularly susceptible to cyberattacks, specifically in the supply chain.
SolarWinds and the Supply Chain
Awareness of supply chain attacks has been steadily growing over the past decade as major security incidents became known. These include the 2013 Target security breach, in which the credentials for a heating and air conditioning vendor were stolen and used to access the retail giant’s network, or the 2017 NotPetya attack, in which several multinational corporations’ software updates were affected by ransomware, shutting down company technology and crippling business. The recent SolarWinds Orion software attack brought attention back to the vulnerable nature of the supply chain and the urgent need for increasing security measures at all stages.
Months after the SolarWinds breach was disclosed in December 2020, details about the full extent of the damage are still being uncovered. The affected product was incredibly widely used, making it quite difficult to pinpoint exactly how the breach happened. This stresses the need for increased visibility in all areas of the supply chain — in both information technology (IT) and operational technology (OT). The increasing convergence of IT and OT networks has contributed greatly to the susceptibility of the supply chain, while increased visibility in both areas could have raised awareness of the attack’s presence and the potential for preventing it.
Recovering From the Fallout
As we have yet to understand the full impact of the SolarWinds attack, recovering from it will be an ongoing process. Organizations and their security teams will tighten up policies and practices that they may have loosened in the past. There is growing pressure on the US government to take action to protect against a similar event. Even so, organizations that were and want to prevent being affected are increasing security measures and paying closer attention to the tools in their technology stack.
In addition to dealing with the fallout from the SolarWinds attack, organizations are still seeing effects from the COVID-19 pandemic. The increase in remote workers and delays in rolling out new equipment and upgrading existing equipment created security gaps. Ransomware attacks are also on the rise, specifically targeting critical infrastructure that cannot afford downtime caused by an attack and are therefore more likely to pay up. Attacks could come in the form of stealing sensitive data, malware, identifying valuable assets in the network, or even targeting specific equipment and operating systems.
Given these factors, we must pay special attention to the COVID-19 vaccine supply chain. Just as the pandemic shaped security risks in 2020, the vaccine supply chain’s susceptibility to attacks could shape security in 2021. So much time, money, and effort have gone into the vaccines’ development as well as their manufacturing and distribution plans. These organizations are facing an unprecedented level of criticality to ensure the reliability and safety of the product.
Protecting the Supply Chain
Given all the threats posed to supply chains, IT and OT security professionals must prepare themselves and their organizations to defend against the attacks that are likely to come in the near future.
One of the most important changes organizations can make to bulk up supply chain security is turning attention to the outside vendors and partners that have access to their internal systems. The first step is to identify how external partners gain access to internal systems and who is responsible for them. There should be continuous communication among security partners, vendors, contractors, and internal supply chain decision-makers to ensure complete visibility into systems.
Another important step is to maintain an asset inventory and invest in segmentation to maintain security for each asset individually. Our research found that 71% of ICS vulnerabilities disclosed in the second half of 2020 were remotely exploitable through network attack vectors. Segmenting out assets helps ensure that should one part of your asset inventory suffer a security breach, the rest will not be compromised.
A few other steps to ensure safety in the supply chain include implementing solutions to overcome specific OT security challenges, adhering to industry-specific Cybersecurity and Infrastructure Security Agency (CISA) recommendations, and ensuring your C-suite and executives are involved in industrywide initiatives that share operational concerns, solutions, and processes.
By learning from past attacks and taking the necessary steps, organizations will be prepared to navigate the changing ICS risk and vulnerability landscape for supply chains in 2021 and beyond.
Chen Fradkin is a security researcher at industrial cybersecurity company Claroty with over seven years of experience researching ICS and IT network security. She specializes in analyzing all components of network security, from protocols and topology to connected devices, as … View Full Bio