The SolarWinds hack has been a major topic of discussion of late. The software is used to monitor applications and networks at thousands of companies and most importantly US Federal and State government departments and agencies. Orion SolarWinds is a common platform that provides IT-level management and performance monitoring functions. Orion products include network performance monitoring, server and application monitoring, network configuration management, and many other functions.
The attacker, reported by the media as the Russian advanced persistent threat (APT) group Cozy Bear, also known as APT29, the same group behind the 2016 DNC hack. Most recently, the group was cited as the force behind the theft of COVID-19 related vaccine data in July of 2020.
The SolarWinds attack first made it into the news after the successful breach of cybersecurity firm FireEye in early December, resulting in the theft of FireEye offensive or “red team” tools. Since then, other high-profile victims have been identified, including the US Department of State, DHS, US Department of Commerce, and the US Treasury. Overall, the attack is estimated to have affected 18,000 Orion customers. FireEye has released its own report on the attack.
The CISA alert on the SolarWinds attack stated the attack poses: “A grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
The attackers have been in these compromised networks for months, and it could take many months more to eliminate them completely. Cybersecurity expert and Harvard Fellow Bruce Schneier stated the only way to ensure that a hacked sensitive government network is secure is to “burn it down and rebuild it.”
What is the impact at the OT level?
Most of the advisories and alerts issued by agencies like CISA and companies like FireEye emphasize the IT-level threats posed by the SolarWinds attack and its associated SUNBURST malware. However, SolarWinds can also be used to monitor network traffic at the operational technology (OT) level. For example, the SolarWinds network monitoring tool can monitor the performance of SNMP networks and devices, which are heavily used in applications like industrial and building automation.
The lines between IT and OT are blurring
The risks to the OT level should not be underestimated, even in what is largely characterized as an IT level attack. FireEye, for example, recently called for a more holistic view of threats across both IT and OT realms, since many attacks that affect the OT and ICS level are initiated in the IT world. Similarly, IT-level attacks can be mounted from the OT level, as we saw in the Target hack. Industrial IoT and edge-based systems are blurring the lines between IT and OT even further.
The importance of vetting third-party partners for cybersecurity
This was pretty clearly an attack mounted by an APT with access to nation-state resources, so it is unsure what end-users could have done to prevent such an attack, given the resources and effort put into it. However, the incident does raise the important issue of vetting third-party service and software providers for their own cybersecurity practices. The SolarWinds attack is a supply chain hack, reaching from SolarWinds’ own servers into customer organizations. The malware was “deployed as part of an update from SolarWinds’ own servers,” according to this analysis from SANS, and that supply chain compromises will continue and are extremely difficult to defend against.
Cyber risk associated with a “single pane of glass”
The SolarWinds platform is a “single pane of glass” approach that provides a unified environment for monitoring and improving the performance of networks and applications throughout an enterprise. Part of the reason the attack was so successful was SolarWinds’ reach across a huge swath of the IT infrastructure. To monitor applications and networks, the platform requires access to a broad range of networks, applications, and assets.
By compromising SolarWinds, attackers were able to gain equally broad access. This underscores the importance of evaluating and continuously reevaluating the cybersecurity posture of your suppliers and partners, particularly those that offer broad-ranging solutions that incorporate diverse data sources across the enterprise.
– This article originally appeared on ARC Advisory Group’s website. ARC Advisory Group is a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.