The SolarWinds attack impacted more than 100 companies and federal agencies, according to U.S. government estimates. The ransomware strike on software provider Kaseya reportedly affected more than 1,500 companies — 60 or so direct customers and 1,500 downstream businesses. Unfortunately for those defending against cyber threat, supply chain attacks like these are not the future of cyber warfare; they’re very much the present.
The prevalence of supply chain attacks, where hackers target the weaker links in a supply chain network, such as third-party vendors who may not have strong cybersecurity practices, has been rising. And the reason is clear, said Eric Byres, CTO of aDolus Technology Inc. and a leading authority of software supply chain security. Why go after one company when you can go after one company that can potentially impact hundreds of others?
In mid-August, Byres sat down with us to discuss recent trends in cybersecurity, why supply chain attacks are so concerning and how software bills of materials (SBOMs) can help companies manage vulnerabilities. This is a transcript of Part 1 of his Expert Interview Series installment with Industrial Cybersecurity Pulse. It has been edited for clarity.
ICS Pulse: Let’s start with general trends in cyberattacks. What trends are you seeing, especially against industrial control systems (ICS)?
Eric Byres: I’ll start with just cyberattacks in general, and then whatever is going on in general cyberattacks ends up landing on the OT industrial systems plate pretty quickly. We’ve seen in the last year about a 430% increase in supply chain attacks. I suspect we’ll see the same next year, when this year wraps up. And then the other thing, of course, everybody’s noticing is ransomware attacks. The two combined is just a train wreck. It’s really a serious problem.
ICSP: What are the latest supply chain regulations, and how will they impact ICS companies?
Byres: Well, you mentioned the SolarWinds attacks, and that has certainly gotten the attention of the U.S. government. That drove the Executive Order 14028 that came out in May. What’s really interesting about that executive order — its intention is to improve the cybersecurity of the nation — is that most executive orders are pretty tiny. They’re like two pages. This was 18 pages of dense text, and at least 25 to 30% of it was around addressing supply chain attacks.
The reason is that the SolarWinds attack and other attacks we’ve been seeing like that really, really have started to concern the U.S. government. The thing about a supply chain attack is the attackers are attacking the weakest party in the link. So if you’re a large oil company, for example, you could have perfect security, do a fantastic job, but if just one of your suppliers is not holding up their part of the bargain, then you’re going to get attacked. And we’ve seen these attacks directly against the ICS market and providers. We’ve seen Tier 2 suppliers in Europe for ICS equipment get hacked and have their software that they’re distributing to, say, pharmaceutical companies trojanized so that as soon as the pharmaceutical company ends up loading this software that they think is legitimate, then all of a sudden, the bad guys have this foothold deep inside the industrial plant.
The first piece of regulation we saw coming out was this executive order. Now, executive orders are not legislation. They’re requirements for the government to follow. And it basically said, “Hey, if you’re going to supply anything to the U.S. government, you’re going to have to clean up your supply chain act and start making sure that your suppliers and the government can manage and understand what components are in a software package.” That’s the first one. But subsequent to that, we found a whole bunch of others that are starting to show up, as well.
ICSP: That seems like a new way you have to look at the cybersecurity of your company. It’s not just the product you’re selling; it’s all the other things that touch that product.
Byres: Yeah, it is a new way to look at it, and it’s come out of because the bad guys have been looking at it this way. They’ve been saying, “Hey, why go directly after the U.S. government? Let’s just go after one of their suppliers or one of their suppliers’ suppliers.” Recently, we’ve had this security incident occur with a very, very large supplier of an operating system that’s used heavily in the industrial space, called QNX. That company supplies a lot of the major OEMs (original equipment manufacturers) that we all know and love. But if you’re a purchaser of those PLCs and DCS (distributed control systems), you’ll have no idea that you’re running QNX. So when a vulnerability comes out, you just don’t know that you’re vulnerable, and you won’t patch it. You won’t know what to do.
The bad guys, however, they’ve got all these tools to attack. They’ll know, “Hey, that controller is running QNX. Therefore, there’s this QNX problem, this vulnerability. We can exploit it.” Unfortunately, the industry is very, very far behind the attacker. That’s the reason for the executive order. We’re seeing it in the power industry with the NERC CIP-013 supply chain regulations. We’re seeing it in related industries, like the medical industry. We’re seeing it in the aerospace industry. We’re seeing it in Europe. We’re seeing it in the Middle East, where the major companies, major asset owners and the governments are saying, “Hey, we’ve got to work together.” And that’s really what it’s about is providing this transparency so one supplier company’s problems don’t propagate right through the entire chain and make it a problem for a refinery or a pipeline.
We don’t need any more of these disasters like SolarWinds or Colonial Pipeline. And the only way we’re going to do that is by starting to understand everybody who’s playing when you buy software.
ICSP: How have companies been managing software supply chain risk, and what do they need to be doing going forward?
Byres: They haven’t been. Honestly, supply chain risk has generally been just right off the radar. The manufacturers of industrial equipment will tend to have a little bit more of a supply chain management plan, but usually it’s only one layer down. They know who they buy from, but they really don’t know who those suppliers buy from or where they get components. I know this firsthand because when I was working for Tofino, we sold Tofinos to all sorts of companies, like Honeywell and Caterpillar and Schneider. They knew they were buying from us, but they didn’t know what components we bought and put into those firewalls. And we didn’t know farther down the chain.
So the honest and sad answer is, until recently, supply chain management just was nonexistent in the software space, and this is a real game of catch-up going on right now.
ICSP: Does this feel like it’s going to be the next frontier of cyber warfare? Why hit one company when I can hit one company that will allow me to hit 100 companies.
Byres: Yeah, it’s not even the next; it is the frontier. We’re here now. Kaseya, I gave a talk a little while ago saying, “God help us if ransomware meets supply chain attacks,” because the ransomware people can just attack one company and get ransomware into 100 companies. And sure enough, Kaseya did that. That was the whole idea. Basically, taking advantage of one weak supplier of basically a network management package, and because all their customers trusted that they were getting good software, suddenly they were accepting what was effectively ransomware into their companies.
ICSP: How can companies that are trying to protect themselves against a supply chain attack get some visibility into the various components that are going into their systems?
Byres: That’s a great question. In fact, that’s the question that everybody was worrying about for the last few years, including myself. We’re saying, “Well, how are we going to clean this mess up?” I think we’ve all settled on something called a software bill of materials (SBOM). The software bill of materials is not that complicated. The idea is just like you can go and get a bill of materials on the parts in a piece of machinery, you can get a bill of materials on all of the components in a software package. You might even think of it as the ingredients list — just a nested ingredients list. I buy a can of soup. It’s tomato soup, and I want to know what the ingredients are. There’s a little water. There’s a little sugar. There’s a little tomatoes. There’s a little MSG. There’s a little whatever.
And then I can use those ingredients lists to make the informed decision of am I going to buy this soup? Am I going to eat the soup? What am I going to do? The same applies to software now. The idea is, OK, these are all the components in this soup — this software soup that I’ve just bought — an industrial controller or an HMI (human machine interface) or a data historian. What of those ingredients pose a risk to my operations, and then how do I prioritize that?
But the very first thing is what the U.S. government’s NTIA (National Telecommunications and Information Administration) describes as software transparency. Tell me what’s in the soup.
ICSP: You mentioned the executive order a few times. It obviously discusses software bill of materials. How much of an impact can an executive order have in curbing these sorts of supply chain attacks?
Byres: I think it can have a lot of impact. First of all, the U.S. government is a pretty big purchaser. They buy a lot of stuff. You don’t think about it in the industrial space, but every military base has extensive power management systems, extensive water management systems, fuel management systems. Often, they have manufacturing systems. So there’s a lot of ICS gear that the U.S. government buys. Ditto for dams, and ditto for water systems. So they’re a big customer. But beyond them being just a big customer, they sort of are setting the baseline.
For example, I’ve become aware of a large Middle Eastern oil company. They’re saying, “Wow, the U.S. government is going to demand better supply chain information from the ICS suppliers. Guess what we’re going to do?” And it’s going to be really hard for the majors — whether you’re Honeywell or Rockwell or Siemens or whoever — to say, “Yeah, we’ll only give that information to the U.S. government. I’m really sorry, major oil company, I’m not going to give it to you.” It’s just not going to happen.
There’s some pretty good evidence that once you have these certain minimum requirements set by the U.S. government, that becomes the floor for requirements right across the industry. We’re also seeing this happening in the financial industry. There was a really good talk a little while ago by the former chief scientists of Bank of America, talking about how, in the financial industry, if companies don’t supply software bill of materials with their software they’re supplying, then the banks consider that they are taking undue risk. Then, they’ll demand some sort of compensation, and the compensation can be better support, some sort of warranty against attacks, massive discounts.
So even though a lot of companies won’t be buying or selling to the U.S. government — or maybe it’s outside the U.S., Europe, etc. — I think what we’ve had happen here is the bar has been set. And I don’t think there’s going to be any going back. Companies will have to provide bill of materials information on the software and support around that so that their customers are not at risk.