Building greater industrial cyber resilience following Nobelium supply chain attacks
Supply chain attacks once again grabbed headlines following Microsoft’s disclosure of Nobelium attackers attempting to target networks in a different part of the supply chain by targeting resellers and other technology service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers. With these underlying threats surfacing every once in a while, it is indispensable for industrial and manufacturing organizations to intensify and build industrial cyber resilience.
The complex nature of supply chain attacks gets further exacerbated by the potentially long delay between the introduction of a vulnerability and its potential exploitation. In addition, the use of legacy OT and industrial control systems (ICS) also deepens the ‘black hole,’ as the digital systems could potentially contain widespread vulnerabilities. While some of these security flaws may be known, but unpatched, there may be other security loopholes that are unknown and undiscovered until an adversary breaches these systems.
The Nobelium hackers are said to be the same Russian hacking group behind last year’s cyberespionage campaign that targeted last December SolarWinds and the company’s customers, and other organizations in the U.S., and around the world. Supply chain attacks were also carried out by the REvil hackers on software firm Kaseya in July this year that led to a large number of managed service providers getting affected.
These repeated occurrences demonstrate that the connected environment is far from safe and that there is an urgent need for industrial and manufacturing organizations to build and strengthen industrial cyber resilience. In the light of the Nobelium hacks, organizations are forced to adopt additional measures, as they correlate and map elements of their industrial cyber resilience plans with those of their resellers and other technology service providers.
Chuck Brooks, president of Brooks Consulting International and adjunct faculty at Georgetown University, highlighted that an industrial cybersecurity framework should incorporate mapping of the control systems, communication flows, and all connected devices in the network, especially from third parties in the supply chain. “Encryption of data flowing from sensors and segmentation of OT would also enable better industrial cyber resilience. Any industrial cybersecurity plan should also prioritize intelligence sharing, public-private sector collaboration, and incident response plans,” Brooks told Industrial Cyber.
Incident response is key because there is always a likelihood of a breach. Organizations need to ensure that they have real-time on-the-scene intelligence and operational alarms to relay critical information to the appropriate response personnel, according to Brooks. “The ability to disconnect Industrial OT from IT and the internet continue to operate should be a part of any incident response. What works in Cybersecurity IT may pose risk to OT cybersecurity where patching may not be an option. Assigned roles and training on how to respond to a breach need to be incorporated into incident response planning too to enable readiness and resilience,” he added.
Now that Nobelium hackers have shone a spotlight on the fertile (and generally unprotected) hunting grounds of the software supply chain, cybersecurity teams are moving to reduce the risks posed by third and fourth-party providers, Rod Campbell, CEO of aDolus Technology, told Industrial Cyber.
“The days of blindly installing software or firmware provided by a trusted vendor are over. Industrial asset owners should be demanding SBOMs (software bill of materials) from their vendors as a bare minimum so they can see what hidden subcomponents they’re introducing into their environments,” Campbell said. “They need to know the risk profile, or trustworthiness of all software subcomponents, as well as the vendors providing them. This intelligence is important to prevent the introduction of dangerous code in the first place, but it’s also key to incident response by providing transparency,” he added.
OT/ICS environments across many verticals and critical infrastructure do have remote third party connections for a variety of services including maintenance and diagnostics, Ben Miller, vice president of professional services and R&D at Dragos told Industrial Cyber. “The NOBELIUM attacks outlined by Microsoft give a realistic playbook to how such a supply chain attack would like,” he added.
Microsoft said that the Nobelium attackers have not attempted to exploit any flaw or vulnerability in software, but fallen back on well-known techniques like password spray and phishing, to steal legitimate credentials and gain privileged access.
The requirement for basic cyber-hygiene never diminishes and the industrial sector must take extra heed of that reality because of the stakes involved, Brooks said. Those who seek to infiltrate critical infrastructure and exfiltrate data will always explore the easiest way first. Unfortunately, most of the time that approach works, he added.
Brooks also recommended that industrial cybersecurity preparedness needs to follow basic cyber-hygiene that includes strong passwords and multi-authentication by employees. “This should be accompanied by an Identity Access Management policy that only allows access to networks and data by delegated users who are monitored. Some of the other basics include prompt updating and patching of networks, operating systems, and devices, segmented backup of critical data, and regular training of employees to recognize and help mitigate phishing attacks,” he added.
Attackers use well-known techniques like password spraying because sadly they still work, Campbell said. “The industrial sector can start by enforcing proper password policies as described by NIST 800-63B. These guidelines focus on making passwords both secure and usable by human beings. So forget about frequent password resets, bespoke composition rules, and other hoops that just encourage people to create weak passwords. It’s more important to make them long, and memorable,” he added.
Miller said that asset owners need to focus on understanding what they have in their environment and where the most risk is. “Many of the asset owners’ cyber security programs do not know where or if they have remote third party access, as an example. Gaining this visibility is important to understand or identify when credentials are being abused within OT/ICS environments,” he added.
With the looming threat from Nobelium hackers, industrial and manufacturing environments are having to quickly re-calibrate organizational industrial cyber resilience.
Brooks says that it is entirely feasible. “The frameworks already exist, cyber-hygiene is not a costly endeavor, and the Department of Homeland Security and other government agencies are willing partners to help organizations recalibrate cyber resilience.”
He also pointed towards “a plethora of proven readiness monitoring tools available on the market to procure and orchestrate among other security solutions. Utilizing the cloud and hybrid clouds can also provide viable options for consolidated and managed security at a faster pace.”
Vulnerabilities associated with aging industrial infrastructure, and reliance on legacy systems need immediate attention but perhaps the biggest challenge is still the mindset of the leadership, Brooks said. “Security is still too often looked at as an afterthought by many organizations. The risks for industrial security organization to not recalibrate could be catastrophic,” he added.
For many industrial and manufacturing organizations, specifically, those doing business with the federal government, the clock started ticking back on May 12, 2021, when Executive Order 14028 outlined very ambitious timeframes for improving the nation’s cybersecurity, Campbell said. “Debating whether or not it is feasible is almost moot. It has to happen. Even for companies outside the jurisdiction of the federal government, the writing is on the wall. The key to responding quickly is to take advantage of tools and technologies already in place,” he added.
The threat is real, the challenges are real, according to Miller. “That said, I wouldn’t be reactionary and asset owners need to be thoughtful in their approach. They have to measure safety with cybersecurity and gain visibility into their environments to make them defensible. This is a challenge of not just the right technology but also the right people and processes,” he added.
A report in July by the EU Agency for Cybersecurity, ENISA disclosed that the threat landscape for supply chains found for about 58 percent of the supply chain incidents analyzed that the customer assets targeted were predominantly customer data, including personally identifiable information (PII) data and intellectual property. The study also identified that for 66 percent of the supply chain attacks analyzed, suppliers did not know, or failed to report on how they were compromised, ENISA said.
Brooks said that the ENISA report is not surprising but is alarming. “Supply chain bolstering efforts can be done with employing innovative technologies that gain visibility in the supply chain via monitoring of access points and network vulnerability analysis. Artificial intelligence and machine learning tools can provide visibility and predictive analytics, and stenographic and watermark technologies can provide tracking of products and software,” he added.
One big remedy for fixing supply chain vulnerabilities is heightening government and industry collaboration on protecting supply chains, according to Brooks. Several initiatives are already in process.
Campbell pointed out that again the obvious starting point for visibility into supply chain risks is the provisioning of SBOMs. “Just look at the incident with Blackberry and their failure to announce key vulnerabilities in their QNX OS beyond their immediate customers. OEMs shipping products with embedded QNX had no idea they were propagating vulnerabilities. But they would have known if Blackberry had provided SBOMs,” he added.
Asset owners need to gain better insights into what is occurring within their OT/ICS environments, Miller said. “Additionally many OT/ICS environment security controls often atrophy over time without governance and continual testing. Assessing both perimeter and internal security controls is important to not fall prey to opportunistic attacks,” he added.