In 2020, cybercrime constituted 1% of the global GDP.
Following the Colonial Pipeline ransomware attack in early 2021, cybersecurity is on everyone’s minds - especially utility providers.
New to utility cybersecurity? Review the basics.
Basic “cyber-hygiene” - firewalls, anti-virus software, and multi-factor authentication - are often conflated with full cybersecurity. However, this neglects an urgent vulnerability: the software supply chain.
In a 2018 survey of senior IT, 66% reported a software supply chain attack. In fact, the high-profile WannaCry and NotPetya hacks - which affected 25% of utility professionals - are both attributed to supply chain vulnerabilities.
The average cost of such an attack: $1.1 million. Though the federal government is mobilizing in response to this growing threat, utilities must work to secure the software supply chain on their own behalf. Complying with federal standards, like NERC’s CIP-013, isn’t enough.
To face the next wave of cybercrime, utilities must…
- Pursue a Software Bill of Materials (SBOM) in all software procurement
- Invest in a thorough cyber supply chain risk management plan (C-SCRM)
- Collaborate closely with vendors, security consultants, and the government
- Build a culture of security, transparency, and clear communication
The software supply chain is vulnerable, and utilities must take the lead in securing it.
The Software Supply Chain is Vulnerable
Going upstream: A new cybersecurity frontier
In the past, cybercriminals would search for software vulnerabilities and then strike before the issue could be patched. Now, frustrated by improved cybersecurity, hackers are directing efforts upstream - targeting software’s fundamental building blocks.
This is the danger presented by open-source and third-party software.
To save time and expense, developers draw on open-source components as they develop complex programs. Proprietary components, exclusive to a vendor, are a small percentage of the end product. In fact, 90% of components in completed software are open source.
In other words, the majority of a product came from someone else. Yet, organizations often don’t have access to a list of these components: limiting their understanding of what is (and isn’t) supported by third parties.
Making matters worse, 11% of open-source product components have known vulnerabilities.
Cybercriminals actively seek out these vulnerabilities in order to insert malware into the pipeline.
- In 2020 alone, Sonatype reported a 430% year-over-year growth in cyberattacks targeting open-source software products.
- According to a 2020 DevSecOps Community survey, one out of five developers endured an open-source related breach.
As digital transformation requires more software, and that software grows increasingly complex - cybercriminals have more avenues for attack.
4 Vulnerabilities in the Software Supply Chain
Cybercriminals may launch an assault at any stage in the software supply chain.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified four areas where security is a concern:
1. Development environment
A cybercriminal can…
- Plant malware directly into the product
- Steel data from the vendor
2. Management of third-party software components during development
A cybercriminal can…
- Plant malware in open-source components
- Trick a developer into using a hacker’s malware instead of trusted open-source software
- Leverage an unknown vulnerability in an open-source component
3. Deployment to users
A cybercriminal can…
- Tamper with the completed software before it reaches your business
- Access your network directly by stealing a vendor’s credentials
4. Transmission of updates and patches
A cybercriminal can…
- Insert malware by hijacking an update or pretending to be a patch.
These cyber threats aren’t theoretical. The slew of recent high-profile attacks has prompted utilities and the federal government to make cybersecurity a priority.
In the news: High-profile supply chain attacks
Target Data Breach (2013)
Hackers used an HVAC vendor’s credentials to break into Target’s network and access customer data, including bank, credit card, and other personal information.
Equifax Data Breach (2017)
Equifax didn’t patch a known vulnerability in its system and hackers gained access to personal information, including Social Security numbers, for 147 million consumers (56% of Americans). Equifax paid $700 million in a settlement.
CCleaner is a program that deletes unnecessary and malicious files from a computer, cleaning up the device. However, hackers planted malware into free versions of the software, likely affecting over 2 million users.
The WannaCry ransomware attack, like NotPetya, targeted the EternalBlue exploit in Microsoft Windows machines. WannaCry affected approximately 230,000 computers and cost organizations $4 billion globally.
Secura researchers discovered a vulnerability in Microsoft’s NETLOGIN protocol, allowing a hacker to establish domain administrator privileges. This severe risk underscores the importance of promptly installing patches and updates.
Amnesia:33 is the name assigned to 33 zero-day vulnerabilities found in software libraries, likely affecting millions of devices.
Operation Dragonfly (2014, 2017)
Dragonfly, a group of hackers, attacked entities using industrial control systems (ICS), a global hack that affected over 1,000 energy companies in North America and Europe.
Delta Airlines Data Breach (2017)
Hackers gained access to millions of customers’ data, including credit card information, through a compromised chatbot on Delta’s website. The AI company behind the chatbot hadn’t implemented adequate cybersecurity.
NotPetya disrupted systems globally by targeting Microsoft Windows machines, shutting down systems or installing ransomware. It used the EternalBlue exploit, among other vulnerabilities.
Operation ShadowHammer (2018)
Cybercriminals stole legitimate ASUS certificates and sent malware to nearly 1 million customers. Barium, the group responsible, also conducted Shadowpad, a 2017 supply chain attack that affected hundreds of organizations globally.
Hackers compromised SolarWinds, an IT software company, and added malware to an update installed by 18,000 customers, including the Department of Energy, Microsoft, and Cisco.
Microsoft Exchange Breach (2021)
HAFNIUM, a cybercriminal group, used zero-day exploits in Microsoft Exchange servers to steal data and access networks - affecting hundreds of thousands of entities globally.
A troubling picture for supply chain cybersecurity
Organizations understand that software supply chain attacks are rising. Crowdstrike’s 2018 survey of IT professionals highlights the problem’s scope:
- 66% reported a software supply chain attack
- 90% of those attacked suffered financial impact
- 1 in 6 had paid ransom after a software supply chain attack in the last year
Despite these troubling trends, many IT professionals aren’t taking sufficient action to secure their organizations.
Though 90% recognized they were at risk of a supply chain attack, only one third of the IT professionals actually vet software suppliers.
The Ponemon Institute, in a 2018 study on data risk from third parties, highlights a similar disconnect between awareness of third-party threats and tangible remediation of the problem.
59% of IT practitioners confirmed their organizations experienced a data breach through one of their third parties, while 76% observe cybersecurity incidents from vendors is increasing.
- Only 37% report they have sufficient resources to handle third-party risks
- Only 39% regularly brief boards of directors on the effectiveness of their third-party management program and potential risks
- Only 35% describe their third-party risk management program as “highly effective”
- 57% don’t know if their vendor safeguards are enough to prevent a breach
Slow response times
For many high-profile supply chain attacks and vulnerabilities, the solution is prompt detection and remediation. Often, this involves a quick software patch or update.
When a weakness is discovered, a race begins between cybercriminals and security experts. Developers must generate a solution and IT must install the patch - shoring up the system before a hacker gets in.
However, according to a 2020 report by Sonatype, 48% of developers became aware of open-source vulnerabilities within a week’s time, and 51% required more than a week to respond.
If a cybercriminal can exploit a zero-day vulnerability in 3 days, they have an edge over the majority of their targets.
Likewise, IT professionals averaged 63 hours to remediate a software supply chain attack.
Securing a system depends on third-party developers and in-house IT, but the response times for both are concerning.
Poor vendor visibility and security
To protect against software supply chain attacks, it’s essential that organizations ensure third-party security and track vendor software and access.
You can’t respond to a vulnerability or breach if you don’t know it exists, and organizations depend on vendors or third parties to develop patches. That said, only 29% of IT professionals say that they’d be contacted by a third party if a data breach occurred.
Unfortunately, it’s dangerous to trust that vendors will self-police.
In a 2020 webinar, Tobias Whitney of Fortress Information Security observed that among the 150 most common vendors and suppliers to the Bulk Electric System:
- 19% don’t require multi-factor authentication for remote access to internal networks
- 32% don’t maintain a logging and monitoring program
- 17% don’t require background checks for all employees
- 33% of information security policies aren’t mapped to an industry-recognized framework
Utilities need comprehensive cybersecurity solutions and pursuing a Software Bill of Materials (SBOM) with vendors is an important first step.
SBOM’s Crucial Role in Secure Software Procurement
What is an SBOM?
A Software Bill of Materials details key information for each software component within a platform, including:
- Author name
- Supplier name
- Component name
- Version string
- Component hash
- Unique identifier
Dr. Allan Friedman, who leads the Cybersecurity Initiatives at the National Telecommunications and Information Administration (NTIA), compares an SBOM to the nutrition facts and ingredients on a food label.
With an SBOM, you can see what’s actually entering your system.
SBOMs offer a variety of benefits:
- Transparency when purchasing software
- Support for developers as they create patches
- Simplified scanning for new vulnerabilities
According to the NTIA, an SBOM can “save hundreds of hours in the risk analysis, vulnerability management, and remediation processes.”
SBOMs can have multiple levels of visibility.
For instance, a first-level SBOM may be more realistic initially: detailing every software component, without requiring documentation on the foundational pieces creating those components.
Tom Alrich, a proponent of SBOMs in cyber supply chain risk management, argues that a first or second-level SBOM should be sufficient for cybersecurity, at least initially.
Resources for Identifying Vulnerabilities
If you would like to learn more about SBOMs, NTIA is a leader in the energy sector’s adoption of SBOMs and an excellent resource.
The MITRE Organization, supported by CISA, provides a database of CVEs. A CVE is a record of a specific software vulnerability. For example, each of the Ripple20 vulnerabilities has a corresponding CVE.
Another tool for identifying vulnerabilities in your software is NIST’s National Vulnerability Database.
The Software Engineering Institute at Carnegie Mellon University maintains information on vulnerabilities.
You can scan your software with Nessus, which will help identify vulnerabilities.
The Path Forward: Securing the Cyber Supply Chain
As cybercriminals target the software supply chain, critical infrastructure providers should adopt a proactive approach and implement strong cyber supply chain risk management (C-SCRM).
Though C-SCRM is now a NERC requirement for moderate and high-impact bulk electric cyber systems (BCS), a robust C-SCRM shouldn’t be exclusive to BCS. After all, every organization faces threats to the cyber supply chain.
To understand C-SCRM, it’s helpful to understand risk management broadly: risk management is the identification, assessment, and prioritization of risks within an organization along with the procedures to mitigate them.
C-SCRM applies these concepts to the cyber supply chain and can be distilled into five practical steps.
5 Steps for Effective C-SCRM
1. Know your software and vendors
As you develop a C-SCRM, it’s important to remember a common adage among cybersecurity experts: you can’t protect what you can’t see.
A thorough audit may be necessary to identify all the software, firmware, and hardware across your organization in both IT and OT. You can then compile a list of your vendors and other relevant third parties.
If you don’t identify these assets, you can be confident cybercriminals will.
A good first step, once you’ve completed an audit, is to request an SBOM for your software. Even though an SBOM isn’t yet required, many vendors understand that they likely soon will be.
With SBOMs, you can then search for known vulnerabilities, determine whether you’re using unsupported software, and map out the lifecycle and ownership of each software component.
2. Assess & rank critical infrastructure risks
With the vast size and scope of critical infrastructure networks, addressing each and every risk is unrealistic. That’s why assessing and ranking those risks is vital.
Where can a cybercriminal cause the greatest damage? Focus your efforts there first.
Not all zones in a network are created equal, and not all software has the same permissions or capabilities. Knowing this hierarchy will help you direct resources where they’re most needed.
NERC recommends asking the following questions:
- Does the software require an Internet connection?
- Can the system be reached by an internal network user in a different department?
- How directly can the system be reached by an external attacker?
- What would be the impact if the system failed (went offline or was disabled)?
- What would be the impact if the system mis-operated?
- What secondary systems are connected or reachable from the primary system? How critical are they?
- Where do the system’s inputs come from and how trustworthy are those inputs?
- Does the software require or run with administrative privilege?
- How trustworthy is the software?
After asking these questions, you may decide to limit the access of some software. Either way, it’s wise to watch for unusual activity.
3. Maintain high security standards for vendors
If your vendors and software are vulnerable, you’re vulnerable - so it’s essential to understand how your vendors will be…
- Protecting their own infrastructure
- Ensuring the integrity of their software and patches
- Protecting your data and network credentials
- Notifying you of software vulnerabilities or breaches
- Scanning their own software, preparing patches, and securely conveying those patches
- Safely incorporating open-source and third-party software into their products
Even though vendors aren’t directly managing critical infrastructure, you should hold their cybersecurity to the same high standard as your own.
At the simplest level, this should include basic cyber hygiene: anti-malware, multi-factor authentication, data encryption, trust zones, firewalls, background checks, staff training, and response plans. Remember, a chatbot company’s failures in these areas led to the Delta Airlines data breach in 2017.
But as cybercriminals become more sophisticated, many organizations are embracing a more rigorous Zero Trust Architecture, which assumes a breach has already occurred and carefully monitors all traffic within the networks.
As you assess current or potential vendors, take steps to understand their cybersecurity by providing vendors with a questionnaire and negotiating security requirements in your contract.
If you’re unsure what to ask of your vendors, CISA provides a thorough template.
4. Partner with vendors to develop cybersecurity policies and protocols
According to Utility Dive’s 2021 State of the Electric Utility (SEU) Survey Report, only 55% of electric utility professionals have systematic and prompt patching of their systems.
On the development side, only 73% of known vulnerabilities are closed or remediated.
To secure the supply chain, software procurement can’t be a single exchange. You’re not buying software; you’re buying into a relationship that’ll continue as long as you’re using their products.
- The Utilities Telecom Council advises establishing clear and consistent communication with your vendors about potential threats. Detecting and resolving a software vulnerability requires visibility and shared threat intelligence.
- Understand your vendors’ policies, protocols, and response plans, so you can create complimentary processes in your own organization.
- Consider coordinating with vendors for supply chain “war games” to test your plans and refine your response times.
5. Collaborate: Industry partners, other sectors, and government
Visibility into assets, vendors, and threats is essential to C-SCRM. To address cyber threats effectively, critical infrastructure providers need robust threat intelligence feeds.
A threat intelligence feed provides data on cybercrime and potential vulnerabilities.
According to a 2021 Ponemon Institute survey of IT professionals...
- 50% of cyberattacks could be foiled with timely and actionable intelligence
- 38% of cyberattacks succeeded because IT lacked timely and actionable data
Collaborating with your vendors goes a long way, but don’t neglect industry partners, other sectors, and the federal government.
When cybercriminals attacked the Colonial Pipeline, Colonial didn’t contact the Cybersecurity and Infrastructure Security Agency (CISA). Instead, Colonial informed the FBI, who then reached out to CISA.
Critical infrastructure providers must share information on attacks and vulnerabilities for the sake of network and asset integrity. It’s a joint effort, and everyone needs to be onboard.
Resources for Threat Intelligence:
- Consider joining a sector-specific Industry Sharing and Analysis Center (ISAC) or a Information Sharing and Analysis Organization (ISAO)
- The FBI manages the Internet Crime and Complaint Center, offering the InfraGard membership to support organizations in protecting critical infrastructure
- CISA’s Automated Indicator Sharing (AIS) is another source for threat intelligence
While past efforts at transparency have been plagued by distrust, the million-dollar price tag of an attack should outweigh any doubts. Effective supply chain risk management can’t exist in isolation, and utilities can spearhead information sharing.
As utilities adopt smart technology and IoT, the industry is trending toward more vendors along with greater software complexity. This entails more open-source and third-party components.
Ultimately, a complex supply chain like this offers more access points to hackers.
The federal government is expanding its role in regulating cybersecurity for critical infrastructure, but utilities can’t wait.
After all, federal regulation, like NERC’s CIP-013 and Biden’s executive order on cybersecurity, came after high-profile attacks.
Though not a result of a cybercrime, the power grid failure in Texas illustrates the vital role utilities - water, electricity, gas - play in a functioning society. At least 111 people died during the winter storm, a majority due to hyperthermia. They were unable to heat their homes.
Utilities can’t wait until after an attack to save lives.
Leveraging government best practices and collaborating with vendors, utilities can address the supply chain cyber threat now by requesting SBOMs and instituting robust cyber supply chain risk
Utilities are at an inflection point
Explore the top 8 risks utilities are facing - including cybersecurity - by clicking on the links below: