Threat actors are always innovating and looking for new ways to exploit systems. One of the worrying trends in recent months has been the rise of supply chain attacks, where hackers target the weaker links in a supply chain network, such as third-party vendors who may not have robust cybersecurity practices in place.
The SolarWinds attack, which impacted everyone from Fortune 500 companies to government agencies, may have been the most high-profile example, but they’re far from the only victim. In July, a number of managed service providers and their customers also became victims of a supply chain-style ransomware attack when REvil group hit software provider Kaseya.
So are supply chain attacks going to be the next frontier in cyber warfare? Not necessarily, said Eric Byres, CTO of aDolus Technology, but not for the reason you think.
“It’s not even the next; it is the frontier,” Byres said. “We’re here now. I gave a talk a little while ago saying, ‘God help us if ransomware meets supply chain attacks,’ because the ransomware people can just attack one company and get ransomware into 100 companies. And sure enough, Kaseya did that. … And that was the whole idea — basically, taking advantage of one weak supplier of a network management package, and because all their customers trusted that they were getting good software, suddenly they were accepting what was effectively ransomware into their companies.”
A supply chain cyberattack looks to inflict damage by targeting less secure elements in the supply chain. They’re especially insidious in the software industry because most companies don’t know — or don’t even know they need to know — which components go into making their commercial software packages. All the major manufacturers purchase components from third-party providers, so when buying the software, the company is, in essence, buying a product from every vendor in the supply chain. If one vendor has lax security, that can put everyone at risk.
Supply chain attacks are definitely on the rise. In the last year, there has been about a 430% increase in supply chain attacks, said Byres, and he suspects that trend line will be the same next year. Couple that with an alarming uptick in ransomware attacks, and no one is truly safe.
“The two combined is just a trainwreck,” Byres said. “It’s really a serious problem.”
The SolarWinds attack in late 2020 certainly caught the attention of the U.S. government, spurring the creation of Executive Order 14028 on Improving the Nation’s Cybersecurity, in May. How concerned is the government about these kinds of attacks? While most executive orders are relatively small, this one was 18 pages of dense text, and much of it was about addressing supply chain risk.
“Unfortunately, the industry is very, very far behind the attacker.”
“The thing about a supply chain attack is the attackers are attacking the weakest party in the link,” Byres said. “So if you’re a large oil company, for example, you could have perfect security, do a fantastic job, but if just one of your suppliers is not holding up their part of the bargain, then you’re going to get attacked. And we’ve seen these attacks directly against the ICS (industrial control system) market and providers. We’ve seen Tier 2 suppliers in Europe for ICS equipment get hacked and have their software that they’re distributing to, say, pharmaceutical companies, trojanized so that as soon as the pharmaceutical company ends up loading this software that they think is legitimate, then all of a sudden, the bad guys have this foothold deep inside the industrial plant.”
Of course, executive orders are not legislation; they’re requirements for the government to follow. The goal here is to start cleaning up the supply chain and ensuring the government can manage and understand what components are in software packages. It’s about working together and providing transparency so one supplier’s problems don’t propagate through the entire chain and make problems for, say, a refinery or pipeline. And it’s especially important to understand supply chain risk because threat actors do.
“They’ve been saying, ‘Hey, why go directly after the U.S. government? Let’s just go after one of their suppliers or one of their supplier’s suppliers,’” Byres said. “Recently, we’ve had this security incident occur with a very, very large supplier of an operating system that’s used heavily in the industrial space, called QNX. That company supplies a lot of the major OEMs (original equipment manufacturers) that we all know and love. But if you’re a purchaser of those PLCs (programmable logic controllers), you’ll have no idea that you’re running QNX. So when a vulnerability comes out, you just don’t know that you’re vulnerable, and you won’t patch it. You won’t know what to do.
“The bad guys, however, they’ve got all these tools for that attack. They’ll know, ‘Hey, that controller is running QNX. Therefore, there’s this QNX problem, this vulnerability. We can exploit it.’ Unfortunately, the industry is very, very far behind the attacker.”
Managing supply chain risk
The worrying trend is most companies have been doing very little to manage software supply chain risk up to this point. Byres said manufacturers of industrial equipment tend to have a little bit more of a supply chain management plan, but usually it’s still only one layer down.
“Until recently, supply chain management just was nonexistent in the software space, and this is a real game of catch-up going on right now.”
“They know who they buy from, but they really don’t know who those suppliers buy from or where they get components,” Byres said. “I know this firsthand because when I was working for Tofino, we sold Tofinos to all sorts of companies, like Honeywell and Caterpillar and Schneider. And they knew they were buying from us, but they didn’t know what components we bought and put into those firewalls. And we didn’t know further down the chain. So the honest and sad answer is, until recently, supply chain management just was nonexistent in the software space, and this is a real game of catch-up going on right now.”
One of the big things companies can do to protect themselves and get some visibility into the various components going into their systems is implement software bills of materials, or SBOMs. SBOMs are exactly what they sound like: a comprehensive list of materials on all the components in a software package. Byres said it’s like the ingredients list on a can of soup. Once you know the ingredients that go into a product, you can make more informed decisions.
The cybersecurity executive order imposes a mandate requiring SBOMs for all software sold to the federal government. While this is just one step in a long journey toward improved national cybersecurity, Byres said he thinks it can have a big impact for two reasons. First, the U.S. government is a big purchaser. Second, they can help set a baseline.
“There’s some pretty good evidence that once you have these certain minimum requirements set by the U.S. government, that becomes the floor for requirements right across the industry,” Byres said. “So even though a lot of companies won’t be buying or selling to the U.S. government — or maybe it’s outside the U.S., Europe, etc. — I think what we’ve had happen here is the bar has been set. And I don’t think there’s going to be any going back. Companies will have to provide bill of materials information on the software and support around that so that their customers are not at risk.”
In Part 2 of our interview with aDolus Technology’s Eric Byres, he will go into more detail about how companies can use SBOMs to improve their security and manage what is becoming an “avalanche of vulnerabilities.” And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.