Recent SolarWinds Breach: A Warning of the Perils to Critical Infrastructures (PART 1)

The recent supply chain breach on SolarWinds discovered in mid-December 2020 is changing cybersecurity as we know it. SolarWinds develops software for businesses to help manage their networks, systems, and information technology (IT) infrastructure. The type of breach on SolarWinds is called a supply chain attack because SolarWinds is a supplier of critical software to a large number of customers. The incident involved a SolarWinds Orion IT monitoring software that had been compromised by a Trojan malware program. The significance of this supply chain attack is that the malware program was leveraged to compromise client networks and exponentially increase the resulting damage or impact. In supply chain attacks it is difficult to estimate the extent of the damage and to contain it. Thus a breach on a company such as SolarWinds means that their customers face imminent threats on critical software and systems with potentially devastating implications for its stakeholders. This is different from traditional attacks that usually target individual companies, institutions, or assets where the attack impact or damage is contained.

Many government institutions and businesses have been affected by the SolarWinds breach including the U.S. Departments of Treasury, Commerce, Homeland Security, and Energy, as well as the Pentagon, Postal Service, and the National Nuclear Security Administration. Microsoft has also reported that some of their Intellectual Property (IP), more specifically source code has been accessed by the hackers. The list of institutions that have been affected is long and what is more important is that they have undergone—and are still undergoing—the harshest, most potentially devastating cyber breach thus far. The attack damage is still being investigated and evaluated but it will take time to fully know its real extent.

Future Attacks are Poised to be Massive and Affect Every Industry

Not long ago, cybersecurity attacks mostly targeted specific assets, institutions, or businesses  and they were limited in scope. The list of perpetrated cyberattacks is large and the following is a short listing that briefly describe a representative sample. Shamoon, a modular computer virus, was used in 2012 to target the Saudi government by causing damages to the state owned national oil company Saudi Aramco. Shamoon was a destructive attack, it was designed to erase and overwrite hard drive data with a corrupted image and report the Internet addresses of infected computers back to the computer inside the company’s network. The malware had a logic bomb which triggered the wiping of the master boot record and all data in hard drives at a time that would cause the most damages with lowest probability of being detected. The attack involved 30,000 Saudi Aramco workstations, causing the company to spend a week restoring their services. Stuxnet, a malicious computer worm, was used in 2007, to leverage access to industrial networks, controllers, and electric motors (called centrifuges) which were components of uranium enrichment facilities in Iran. Critical software in the controllers was modified to subject the centrifuges to a speed profile which made them inoperable, thus “destroying” much of the uranium enrichment capability of Iran, thus a major blow to its nuclear program.  Subway, in 2012 hackers cracked the passwords and gained administrative access to the computers used in the point of service (POS) workstations of Subway sandwich shops. The hackers then installed software programs called ‘keystroke loggers’ (or ‘sniffers’) onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including data on customers’ credit cards. The perpetrators hacked into POS terminals at more than 150 Subway restaurant franchises and stole data of at least 146,000 accounts. Jeep Cherokee, during 2015 hackers took control of a Jeep Cherokee, a vehicle manufactured by Chrysler, via its internet-connected entertainment system. More specifically, the hackers took control of the entertainment system (also called the head unit) and from there they were able to issue Cyber Physical commands to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country in a wireless fashion. All of this happened while the vehicle was on a highway travelling at 70 miles/hour.

The above list of attacks resulted in various types of damages involving several impact factors that include privacy, operational, financial, and safety. The Shamoon attack was clearly destructive that affected the targeted organization both operationally and financially. Stuxnet was also a destructive attack designed to cause malfunctions on many centrifuges and thus halt the operability of uranium enrichments plants. The Subway attack affected the financial and privacy aspects of customers and the restaurant chain while the Jeep Cherokee attack affected the safety of the vehicle.

The recent SolarWind breach does not fit in any of the above attack categories because it is of a different nature, it is a supply chain attack and this means that it has the potential of leveraging a large number of more focused, targeted attacks in any combination of the above attack types. As the SolarWinds breach has demonstrated, isolated and individual targeted attacks as the ones described above are no longer the norm. Because of their nature, supply chain attacks begin with exploiting some vulnerabilities, e.g., the possibility of introducing a malware program and use this exploit to compromise networks, servers, etc. to expand the reach of the attack beyond the initially compromised resource. Thus supply chain attacks have the potential of affecting a large number of institutions and companies which in turn may be suppliers to other institutions or companies in a multilevel or multilayer fashion.

One way to improve the cybersecurity culture in an organization is to establish processes that will facilitate and empower the organization to perform all that is required by a good cybersecurity culture. The organization shall ensure the persons within the organization that are involved in assuring cybersecurity of vehicles possess the cybersecurity competences and awareness to fulfil their responsibilities.” One way of meeting this requirement is to attend training programs, courses, or seminars.

GLOMACS is Offering a New Training Course on “Cybersecurity Monitoring, Event Management, and Incident Response in Intelligent Transportation Systems”

The participants of this GLOMACS training course, will:

• Enhance their analytical and problem solving skills through participation in breakout exercises
• Learn how to analyze the cybersecurity of the Intelligent Transport Systems (ITS) infrastructure
• Be able to apply cybersecurity techniques to implement resilience and strong defenses
• Learn how to perform cybersecurity risk assessments for their organization
• Improve the cybersecurity of their organizations
• Develop cybersecurity plans including those for monitoring, event management, and incident response

Although the above training course focuses on Intelligent Transportation Systems, many of the concepts and methodologies are generic which can be applied to other IT and OT areas. As a result, participating organization will become adaptive and improve their cybersecurity while at the same time serve stakeholders and the public at the highest level.

READ PART 2