Another big supply chain breach

Kevin Perry, retired Chief CIP Auditor of the SPP Regional Entity, sent me today a link to this article about a breach at Airbus in which a lot of technical data was exfiltrated, presumably to China. By the way, I love this wonderful formula for success: stealing your way to technical competence. I don’t know why I didn’t think of that earlier in life, when it might have done me some good.

Of course, this breach came through the supply chain, in fact through multiple vendors. The attackers were able to penetrate the suppliers’ networks (evidently not too hard to do), and were able to get remote access to VPNs connecting the suppliers to Airbus (of course, it’s highly unlikely the VPNs were also protected with multi-factor authentication).

And in case you might be inclined to dismiss this attack as not too relevant to critical infrastructure - since of course it was data, not operations, that were affected - I want to point you to the last paragraph of the article, which noted that a debilitating malware outbreak at a key supplier this year had an impact on Airbus’ production (this is one downside of just-in-time procurement, of course).

Whenever a NERC entity (or really any organization) hears about an attack on another company, the question to ask is: What is the threat that’s the basis of this attack, and how can we mitigate it ourselves? This question applies especially to CIP-013 entities, since R1.1 requires you to “identify and assess” supply chain security risks (although I prefer “threats”, following NIST 800-30) to the BES? Here’s one you should identify!

The threat is that a supplier’s network will be penetrated by a malicious third party (or by a rogue insider), and they will be able to gain access to your network through vendor communications channels to your environment. Moreover, it doesn’t matter that much whether it’s your IT or your OT network that’s penetrated. If your IT network is owned by someone like the Chinese, they will ultimately figure out a way to get into the OT network - as in the first Ukraine attack, when the Russians were in the Ukrainian utilities’ IT networks for many months before they realized the HMIs for their substations were placed on the IT network. This was of course a gift to the Russians due to poor security practices by the utilities, but if a nation-state attacker is in your IT network long enough, they will very probably find a way into your OT network.

Of course, this is the second case in two posts where there’s a threat to utilities (or any organization) that results from penetration of a supplier’s network by the bad guys. In my last post, the threat was that the bad guys will penetrate the development or manufacturing environment of a supplier and substitute a hardware or software component that contains malware. This time, it’s that they’ll utilize the supplier’s access to your network to penetrate your ESP and cause havoc.

In my opinion, NERC entities should strongly consider mitigating threats that result from penetration of suppliers’ (and vendors’) networks as part of their CIP-013 plans. These aren’t idle threats, of course. Keep in mind that last summer DHS raised the alarm in a webinar that at least 200 suppliers to the power industry had been penetrated by the Russians, and that the attackers had success in penetrating power industry players that way (although that part was walked back by DHS two days later. But that walkback was contradicted by statements that had been made in a second DHS webinar that very morning. Moreover, DHS walked back the first walkback a week later - at a briefing in front of Mike Pence, Rick Perry and Kirstjen Nielsen, at the time Secretary of DHS - with a new story that was incompatible with the previous ones. I heard a third walkback at a meeting in McLean, VA last September. And to top it off, when I questioned a DHS official during a meeting at the RSA Conference this March, he started stammering out a bunch of strange excuses for this and for not investigating the Worldwide Threat Assessment. I haven’t had time to discuss this odd evening yet, but a reporter from Dark Reading did write about it, without knowing my name. Does it seem there might be something strange going on at DHS?).

And don’t forget the Wall Street Journal article from January, which detailed how the Russians are using phishing emails to penetrate supplier networks, and through them utilities. So it’s very important to take steps to make sure your suppliers are themselves following good security practices. How do you do this? There are lots of ways. Contract language is one, but hardly the only one. RFP terms and questions are another.

I think vendor questionnaires are an excellent tool, since they not only provide you with information on what your supplier is doing, but they let the supplier know what steps you think they should be taking. And having annual “security reviews” with important suppliers allows you and the supplier to freely exchange information about your security practices, as well as your mutual security objectives. The best thing about these is they shift the discussion from an adversarial one to a partnership, where you’re working with them to secure both of your environments.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.