Wednesday, December 23, 2020

In case you can’t read everything available about SolarWinds…

Yesterday, Fortress Information Security posted an excellent, and quite readable, white paper on the Solar Winds attacks. Because Fortress’ primary focus is supply chain security for the power industry, they are especially qualified to write about these attacks, since these were (and are – they’re still ongoing) classic software supply chain attacks, although far more devastating than any previous such attacks. You can download the document here.

The article offers a good summary of what’s known about the attacks as of probably two days ago, as well as what organizations using SolarWinds should do to protect themselves, before they’re actually compromised through the infamous backdoor. However, it adds to that a set of recommendations to protect SCADA systems, as well as best practices for implementing a data security policy in general – since right now exfiltration of critical data should be the biggest concern of all SolarWinds customers, whether or not they think they have been actually compromised yet.

Fortress says they will post updates to this document as new information becomes available. I hope that at some point, once it’s known exactly how the attackers were able to plant malware in the SolarWinds update, they'll provide a comprehensive set of measures that organizations (not just electric utilities) should take to make sure their software suppliers are secure. These will mostly be recommendations for requirements that can be included in supplier questionnaires and contract language (I listed three examples in this post).

As I’ve said multiple times in this blog (e.g. in this post), I believe software (and firmware) supply chain security is the most important area of supply chain cybersecurity risk. However, I’ll admit I never imagined that so much damage could be caused by a software supply chain attack. As it is, lately – especially in the Executive Order – there has been excessive focus on hardware supply chain attacks by nation-states, which are not impossible but are far less likely. Software is where the true risk is! But maybe you already knew that...

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment