Supply chain attacks insights
- Supply chain attacks are a force multiplier. Your organization can have excellent cybersecurity, but if you’re working with vendors that don’t, you’re still at risk.
- Supply chain attacks often halt production, resulting in a cost increase that gets passed along to the market.
- The downstream impacts of supply chain attacks can take years to play out. Many think we still haven’t seen the entire impact of the SolarWinds attack.
Supply chain attacks are proliferating at a rapid rate because they offer threat actors a great deal of bang for their proverbial buck. All it takes is one third-party vendor with poor cybersecurity hygiene, and thousands of companies could be at risk. That’s one of the reasons supply chain attacks and ransomware can be such a toxic mix.
John Deskurakis, chief product security officer at Carrier, and Tony Turner, vice president of Fortress Labs with Fortress Information Security, discussed how to protect against supply chain attacks and offered viewpoints from two very different perspectives — manufacturing and security — in this partial transcript from the May 6, 2022, RCEP PDH webcast (archived for one year), “How to Protect Against Supply Chain Attacks.” And check out Part 1 of their discussion on why supply chain attacks create such a target-rich environment.
This article has been edited for clarity.
ICS Pulse: Colonial Pipeline was a supply chain attack that also involved ransomware. Why is ransomware particularly toxic in the supply chain?
Tony Turner: Especially when you look at the prevalence of the software side of the supply chain issues. A lot of times, we think specifically [about] the compliance-related issues around hardware blacklists for hardware providers. When you look at the likelihood of these attack softwares, that was the most credible way to get these attacks into our environments. Obviously, ransomware is delivered through software-related issues. The other piece that occurs to me, and what we’ve seen with a lot of our own customers, is [it’s] not that the attack is directly against the organization.
A lot of times, the attack is against the upstream organizations, and you may have a lower maturity. You may have all the right controls in place inside your company, but if your suppliers don’t, and they’re getting phished, the downstream impacts are just as severe as if you got ransomware. This connectivity between susceptibility of the supply chain and the risks of business interruption that are foundational to why we’re doing all this cybersecurity stuff in the first place makes this extremely, extremely attractive to the adversary. The force multiplier effect means that I can create a huge amount of downstream attack effects and apply a whole lot of pressure on [the] entity I’ve just ransomwared.
John Deskurakis: When it comes to ransomware, particularly what jumps out in my mind, [and] what makes it especially problematic for industry, is the idea that production can and does halt as a result, as we saw in the Colonial Pipeline. What can happen is, if it’s part of the supply chain, and the downstream supplier, the manufacturer may have been the vector for the attack point, they’re going to halt things so they can identify and stop the issue. But what that does downstream is it causes cost escalation. [During] the Colonial Pipeline, we saw the price of gabs across the country was suddenly rising. A lot of people attributed one to the other, and rightfully so.
But in the manufacturing space, the cost of goods out in the market are going to increase as a result of some sort of an attack factor inside of the supply chain that needs to be corrected. Who knows how long it takes it to get corrected while you’re dealing with someone that’s ransoming a part of your critical system. Even if you get that part remediated, a responsible manufacturer supplier is not going to stop there. They’re going to look at all other parts, because they’re going to assume “If we were vulnerable there, we might be vulnerable elsewhere to something similar. Let’s make sure we really have it covered.”
From the manufacturer perspective, what I always think when [it comes to] ransomware is that the force multiplier talk will halt production, and then there will be a cost increase that the market gets burdened with as a result. Which is why you find some companies almost willing to negotiate and get the problem removed so they can move forward.
Turner: I think there are kind of two pieces to this. There’s the external dependency factor for upstream suppliers, but there’s also internal dependencies that we need to be cognizant of. Colonial Pipeline is a good example of where an internal dependency ultimately created the impact of a flow down to our downstream customers. It was the operational technology (OT) environments that were essentially shut down to stop the flow. But it wasn’t, at least from what we have gathered, impacts for Colonial that caused them to shut off the flow.
When we really think about these issues, we have to also look at the interdependency, especially between our information technology (IT) and OT environments. A lot of times, those downstream OT impacts ultimately create cyber physical impact consequences for our customers and other downstream consumers of these things. A lot of times, even though it’s an OT-related impact, it’s [actually] an IT-related event that caused all of this downstream stuff to occur.
Deskurakis: Part of the problem is the long game. I think back to this super micro discussion from some years ago. Sometimes an exploit or vulnerability can get embedded into the supply chain years in advance and then create problems later. Not that that was a ransomware issue, but I think about it more [in terms of the] long-term effects. It seems like ransomware is becoming a popular attack today.
A few years ago, folks were embedding things within the supply chain so that they could steal data or spy on something or some group, but it’s starting to become a little bit of a different conversation. It feels like the longer something can be embedded inside of the supply chain unnoticed, it can proliferate all across the ether in a way that it becomes very difficult to respond to once that issue becomes revealed to the market.
ICS Pulse: Are there any examples of that that are you concerned about? [Anything] you’ve dealt with where you think that some attack exploited is proliferating into the market or has proliferated into the market that’s made it difficult to deal with on the back end?
Turner: Absolutely. I don’t track those concerns as directly related to ransomware as I do some of the other pernicious attacks. For instance, SolarWinds. I think there’s a lot of folks in critical infrastructure that feel we have still not seen the downstream impacts of the SolarWinds attack. The vulnerabilities in Log4j, and the exploitation that happened out of Log4j [is] widespread and deeply embedded. Just because an event happened in 2020 or 2021 doesn’t mean that the impact is going to be felt right away. Our adversaries could just be gaining a foothold and biding their time for further action down the road.
Deskurakis: Log4j was an interesting one in the manufacturing space. Especially [with] a company as large as mine, where we have hundreds of large product lines and really thousands of components. What we found out quickly was that one for one, it wasn’t that difficult to remediate the Log4j problem in a single system. But when you’re operating on a massive scale, and that particular file is sitting in thousands of different places — hundreds of thousands of places for us — it’s very complicated to put that genie back in the bottle. That was a bigger problem for us in terms of the proliferated attack.