Operational Technology (OT) Implications of the Recent SolarWinds Compromise
Brian Smith
bsmith@enernex.com
865-770-4853
The recent SolarWinds Orion compromise is a wakeup call to the very real threat that supply chain attacks present. While much of the attention and discussion about this compromise has focused on traditional IT environments, the implications of supply chain threats are just as relevant to utility Operational Technology (OT) environments. So much so that FERC and NERC have focused on establishing supply chain security standards for the bulk electric system with CIP-013-1 for the last several years. What makes the SolarWinds exploit particularly worrisome is the potential impacts within an OT environment that this type of attack presents. To start with, it is extremely difficult to prevent similar attacks given the current practices employed within most security programs. Further, because the SolarWinds compromise was targeted at a system which is typically given elevated privileges within most IT and OT environments, similar attacks pose a serious risk.
Many details of the compromise are still emerging, especially the ultimate objectives of the adversaries once the malicious code was successfully installed inside the target environments. What we do know however is that a highly skilled adversary was able to insert malicious code into the SolarWinds Orion software build process which ultimately “trojanized” software updates that the vendor then provided to its customers. Since these software updates were digitally signed and provided by a trusted source, most customers had no reasonable cause to suspect that they posed a risk and therefore installed them within their environments. The SolarWinds Orion product appeared to be specifically targeted as it is typically configured with elevated privileges within many environments because of its use in network and application monitoring and management. Once the malicious code was inside the target environments, it utilized its elevated privileges along with activities such as mimicking legitimate network traffic and user impersonation to avoid detection. In some cases, it went unnoticed for several months. In the short term, organizations affected by this compromise should already be following the guidance provided by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in Emergency Directive 21-01. While some of this guidance is only appropriate for U.S. federal agencies, it does provide a detailed set of instructions that are specific and applicable for all potentially impacted users of the SolarWinds Orion platform.
A good way to relate the potential impact of this or similar compromises to a Utility’s OT environment is to look at things from the Industrial Control System (ICS) Cyber Kill Chain concept outlined in The Industrial Control System Cyber Kill Chain by Michael J. Assante and Robert M. Lee – October 5, 2015. From the ICS Cyber Kill Chain perspective, the SolarWinds Orion compromise can be considered a successful Stage I attack providing the foundation for Stage II activities targeted at loss, denial, or manipulation of view, control, or safety. These activities become the basic building blocks that can be used by an adversary in an attack on an OT environment to achieve a desired outcome such as disrupting operations and/or damaging equipment.
If this type of attack is difficult to prevent, what should utilities do to mitigate the associated risks? First, employing a cybersecurity architecture that provides for fundamental functions such as robust inbound and outbound firewall rules, network segmentation, and lateral movement protections is essential. Next, these events also stress the importance of establishing a system baseline along with monitoring and logging within OT environments. While this level of visibility into OT environments has been difficult to achieve in the past, commercial monitoring and anomaly detection solutions tailored for OT environments have become available over the last few years making this a realistic goal for most utilities.
Want to know more about how EnerNex can support your OT cybersecurity efforts? Feel free to contact me at bsmith@enernex.com to discuss. EnerNex is uniquely qualified to assist you as our staff has extensive experience in NERC CIP, cyber security, utility automation, IT, OT, and communications systems.
Brian Smith, CISSP, is a Principal Consultant and has over 25 years of experience in the electric utility field with an extensive background in cyber security, utility communications, utility automation systems, integration, networking, Supervisory Control and Data Acquisition (SCADA), Energy Management Systems (EMS) and tele-protection applications.