The SolarWinds attack has been in the news a lot lately due to the widespread scope of the attack, which went beyond one company or one specific target industry. The SolarWinds attack affected more than four-fifths of the Fortune 500 companies and hit virtually every major sector in the U.S. government and military.
This was more than a one-off cyberattack, and it’s only going to increase, according to Eric Byres, CEO for aDolus, in his presentation: “After the SolarWinds attack: What the SolarWinds fiasco tells us about the changing security landscape” at the ARC Advisory Group Forum, which was presented remotely via Zoom.
Nation-state-backed, multi-stage SolarWinds attack
The actors behind the SolarWinds attack, Byres said, were very professional and very well-organized in their attack. It was likely financed and backed by a nation-state, and they played the long game, initiating a multi-stage attack that lasted more than 18 months.
This kind of attack might seem like the kind of thing manufacturers might not have to worry about. It’s all information technology (IT), right? Not so, according to Byres. Operational technology (OT) has just as much, if not more, to worry about.
Industrial control systems (ICSs) and the supply chain, Byres said, are the next wave of cybersecurity threats. Supply chain attacks in these areas in 2020 were up 430% compared to 2019. This is not going to stop. Why? Because they’re effective.
Cybersecurity attacks that take advantage of trust
“They’re taking advantage of the trust we [industrial companies] have with our vendors,” Byres said.
Industrial control systems supply chains are easy targets. Many supply chains are a mix of different programs, codes and standards. Finding an exploitable weakness isn’t that hard because there are many potential gaps in the networks.
And like companies, the actors behind these attacks seek a good return on investment (ROI). Given the level of sophistication of the SolarWinds attack and the depth of the infiltration, it’s safe to say they got their money’s worth. Hitting a company’s supply chain and stealing information is no different.
It’s not like ICSs and the supply chain haven’t been a target before. Stuxnet was all about the supply chain and exploiting a particular weakness. In that case, it was stolen digital certificates, which underline the broader problem, according to Byres.
“There’s nothing wrong with digital certificates,” Byres said, “but they are being misused and misunderstood and being exploited. There’s more malware now than regular software. They’re not enough, and they need to be cleaned up.”
Cybersecurity cleanup: 3 software bill of materials needs
How can companies make their supply chain safer and help OT follow best practices? After all, this isn’t their field of expertise. They need all the help they can get. Byres likened it to a rich stew full of different ingredients. If the user doesn’t know what’s inside the stew, they won’t know how everything works together. This can be very confusing and overwhelming and may lead to mistakes. Clarity is needed in these cases.
Byres advocated a software bill of materials (SBOM), which is a nested inventory and a list of ingredients that make up software components. An SBOM, like a regular BOM, identifies and lists components, information about the components and the relationships between them.
Byres listed three things that are needed for SBOMs to work:
- Cloud-based aggregation.
- Machine learning for correlating multiple databases.
- Graph database technology for component association and tracking.
Software bill of materials benefits for cybersecurity
All that aside, why do manufacturers need software bill of materials to improve cybersecurity? What benefits can they provide to people on the OT side? Byres highlighted several points:
- For ICS vendors, they help track dependencies and component-based issues. They also help vendors track and detect evolving third-party security issues.
- For asset owners, they help create vulnerability and risk priority lists for deployed software.
- For security analysts, they provide critical threat-hunting info and give them information needed for malware hunting.
“We are going to see supply chain attacks as a regular problem,” Byres said. “For us to be on the road to a secure supply chain, we need vendors.”
Like so many other changes in the world, it’s a question of adapting and taking the preventive steps now rather than becoming the latest victim that ends up in the news.