As the year 2020 almost came to an end, Cyberattackers demonstrated their skills in one of the potentially largest infiltrations in years. Attacker managed to compromise the Orion software update system of SolarWinds and to send “trojanized” updates. The backdoor installed on infected networks waited at least two weeks before contacting command and control systems, which helped the intruders evade detection. The most high-profile victim so far are US governmental institutions, but the attack affects enterprises and governments on a global level.
One thing is for sure, it will take a while to get a picture of what information the attackers harvested and what they left inside occupied systems. The full magnitude of the attack and its purpose are still unknown, but it does not look good. On January 4th ZDNet condensed this to “The more we learn, the worse it looks”.
The impacts of attacking software suppliers
What makes this case so interesting is, that it presents a so-called supply-chain attack. Here, the ultimate target is not the first victim (i.e., the incident does not start in their network) but it starts via a supplier in their network. Even worse in this case: the attackers were targeting a supplier of the software security infrastructure.
For the adversaries, this brings a minimum of two advantages:
- They can avoid the potentially higher security standards of their victims (one can assume these are rather high for companies like FireEye, Microsoft or the US government)
- their attack scales easily (Solarwinds themselves reported around 18000 customers as potentially being compromised) and extend their range by using the infiltrated system as entry point for further step stone attacks.
While many articles describe the magnitude and significance of this attack, they mostly fall short on proposing solutions to better protect against similar events in future. If at all, they deal with it from a political dimension, around elements of attribution and condemning state-actor cyberattacks.
What companies must do
There are, however, also actions companies themselves should undertake to increase their resilience. In doing so, the challenge of ensuring the required level of cybersecurity throughout the entire lifecycle as well as across the complete supply chain is not new. It might not have gotten the needed interest though, with other topics in Cybersecurity being hyped (like ZeroTrust, which is an important lever for more Cybersecurity inside of companies but would not have prevented the SolarWinds case). Taking a progressive approach to one´s supply chain security is necessary, because of the networked nature of today´s digital world: is becoming interconnected, digitally networked. The digital economy requires interconnection. This development also means that the opportunities for cyberattacks are increasing. A digital enterprise is constantly expanding its attack surface by growing business.
One thing is certain: It is the operator’s responsibility to ensure that she achieves the desired operating result. She thus bears the final responsibility for the Cybersecurity of his IT and OT landscape. While supply chain attacks such as Sunburst / Supernova are fundamentally difficult to avoid and their effectiveness will make them even more sought-after attack vectors in the future. Zero Trust does not offer a solution here, on the contrary it might even be counterproductive, because it puts us in a situation where we are not able to apparent security. The key will be in trust building, traceability in the supply chain and collaboration. With a particular role also falling to the Cybersecurity industry to advance their current strategic view and their culture.
Acknowledging their responsibility for Cybersecurity, organizations must look beyond their own environment and install proper 3rd party risk management. This means, evaluating which suppliers they deem critical – network monitoring solutions should most probably be one of them. Then, it is on the buying entity to roll out ambitious supply chain Cybersecurity requirements to suppliers. This serves to ensure a minimum level of Cybersecurity (and for critical suppliers a higher level). In the case of SolarWinds, their respective Cybersecurity posture is at least questioned. It also involves capacity building on the side of the suppliers. One such approach is proposed by the Charter of Trust which Kai has helped to conceive. It includes clear risk-based requirements for said supply chain parties and extensive capacity building.
In the event of a failure / successful attack, it is important to be able to isolate affected components in the system very quickly and as automatically as possible and to be able to keep sufficient data material for forensics – so that harmful components can be identified immediately and damage limitation can take effect more quickly.
asvin which is led by Mirko, for example, has introduced a blockchain ledger that records the history of the installed software for each IoT device and also contains the supply chain of deployment, auditor, delivery, installation and operation. With this you can for example automatically track immediately if software was installed on a controller e.g: via a SolarWinds API and if this happened before or after the known date of the hack (the GITHUB password release). By analyzing the ledger, you can automatically filter such components and then initiate countermeasures.
Collaborate and automate
What may sound simple in theory turns out to be a complex and costly undertaking in practice. In the context of integrating third-party components, it is not only the Cybersecurity functionality provided that is relevant, but also significantly the inclusion of the underlying development, manufacturing, support and maintenance processes. Securing this digital infrastructure requires a cooperative, not competitive, mindset among governments and businesses at all levels, and all along international supply chains.
Whatever can be automated along the process, should also be automated. There will be growth in scope and size of supply chain attacks, hence manual processes are not sufficient.
Cybersecurity industry has a particular responsibility
The Sunburst and Supernova attacks have shown one more thing in particular: The Cybersecurity industry needs to rethink their own position and strategy for defense. Cybersecurity is already complex, and the Cybersecurity industry is propagating more and more complex solutions, for example by adding artificial intelligence for intrusion analytics. There is a real danger that this complexity of Cybersecurity products will lead to a rapidly expanding attack surface. At current, there seems to be a certain form of hybris:
- The believe that introducing more technology can solve the growing Cybersecurity threats
- Linear thinking to solve complex interconnected Cybersecurity challenges
- Too little importance attached to the social aspects and human factor of Cybersecurity
Our industry needs awareness of our very own responsibilities: being extra trustworthy suppliers leading on own security aspirations and excelling in implementing these. This is much more than a technical challenge.
We need a cultural change in the Cybersecurity industry to manage the future threats: the realization that diverse and inclusive organizations are better at recognizing risks, selecting strategic options to mitigate these and more successful in implementing approaches that work (for themselves AND for customers).
In summary, the SolarWinds case is the biggest threat to digital value creation and ecosystems we have seen in a long time. To safeguard our digital value creation, organizations must advance their approach to 3rd party risk management, supplier accountability and collaboration. They must also invest in audit trail transparency and instant reaction capabilities. And for the Cybersecurity industry: we need to invest in a culture aware of our own responsibilities, leading on trustworthiness and execution – driven by diverse and inclusive organizations.
The stakes are high: it concerns how we secure the digital world, and hence also make the real world a better place.
Mirko Ross is an activist, expert, speaker, publicist and researcher in the field of Cyber Security and the Internet of Things. At the age of 14, he began investigating vulnerabilities in IT systems. Instead of a career as a hacker, he founded his first company, focusing on Internet software development. Mirko is also active in international committees and research projects in the field of cyber security and blockchain technologies. He is closely associated with the positive hacker attitude and maker movement and promotes non-profit projects in the field of Open Data and IT education. In 2018 he founded asvin.io, with the aim of increasing cyber security for Internet of Things.
Kai is an expert in digital transformation, cybersecurity, trust in digital technologies, and leadership within this space. For technology to serve its purpose, he believes trust in tech is a prerequisite. At Siemens, he demonstrates in practice how to transform and build trust through leading the “Charter of Trust”, a global initiative of 17 Fortune 500 companies collaborating to strengthen security of the digital space.