Yesterday, Fortress Information Security posted an excellent, and quite readable, white paper on the Solar Winds attacks. Because Fortress’ primary focus is supply chain security for the power industry, they are especially qualified to write about these attacks, since these were (and are – they’re still ongoing) classic software supply chain attacks, although far more devastating than any previous such attacks. You can download the document here.
The article offers a good summary
of what’s known about the attacks as of probably two days ago, as well as what
organizations using SolarWinds should do to protect themselves, before
they’re actually compromised through the infamous backdoor. However, it adds to
that a set of recommendations to protect SCADA systems, as well as best
practices for implementing a data security policy in general – since right now exfiltration
of critical data should be the biggest concern of all SolarWinds customers, whether
or not they think they have been actually compromised yet.
Fortress says they will post
updates to this document as new information becomes available. I hope that at some point, once it’s known exactly how the attackers were able to plant
malware in the SolarWinds update, they'll provide a comprehensive set of measures that
organizations (not just electric utilities) should take to make sure their
software suppliers are secure. These will mostly be recommendations for requirements
that can be included in supplier questionnaires and contract language (I listed
three examples in this
post).
As I’ve said multiple times in this blog (e.g. in this post), I believe software (and firmware) supply chain security is the most important area of supply chain cybersecurity risk. However, I’ll admit I never imagined that so much damage could be caused by a software supply chain attack. As it is, lately – especially in the Executive Order – there has been excessive focus on hardware supply chain attacks by nation-states, which are not impossible but are far less likely. Software is where the true risk is! But maybe you already knew that...
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment