Tuesday, December 22, 2020

SolarWinds is (was?) critical infrastructure


I’m working hard nowadays to finish my book on supply chain cybersecurity for critical infrastructure. Yesterday I was working on a chapter where I was discussing the difference between critical infrastructure industries and other industries. In doing so, I came to the realization that the essence of critical infrastructure is that owners of critical infrastructure should never have the final say on how it is used and especially how it is secured. This is because, by definition, the general public has a “stake” in critical infrastructure, even if it’s owned entirely by private parties.

Of course, everyone in the electric power industry is already well aware of this fact. If they do something wrong and there’s an outage, that isn’t just an internal problem. It needs to be reported to NERC, the federal, state and local governments, etc. Depending on what happened, there may be press reports, a fine or other public shaming.

Probably the most important “gift” that comes with owning critical infrastructure is the regulation that comes with it. Electric utilities are regulated by NERC, FERC, the PUCs and other regulatory bodies. Even though some of the regulations are overdone, all of this can be thought of as the public taking steps to guard its stake in critical infrastructure.

Of course, electric utilities aren’t unique in this regard. Oil refineries, natural gas pipelines, water treatment systems, chemical plants, transportation systems, banking, telecom and other industries all operate critical infrastructure. And they almost all are regulated in one way or the other, including for cybersecurity.

As I was writing this, I was also thinking about SolarWinds, and how it looks like some very bad security practices on their part may have led to what could be the greatest disaster – outside of wars and pandemics – ever experienced by the American people. And then I realized: SolarWinds is as much a critical infrastructure operator as any electric utility. Their software was used to manage the networks of many important agencies of the federal government (in hindsight, far too many!). Moreover, by definition network management software has to hold the “keys to the kingdom”: credentials for network infrastructure devices like routers, switches and firewalls, as well as an open pathway to control servers and workstations through those devices.

Of course, two weeks ago I would never have dreamed of calling SolarWinds a critical infrastructure operator. Even if someone had told me they had bad security, I would have said that’s basically their problem. I would have said this, even though I certainly knew that their poor security could lead to customers getting breached (e.g. as happened to Delta Airlines, who lost close to a million credit card numbers when their web site was penetrated by attackers, who used a backdoor that had been planted in recently purchased chatbot software they had deployed on their web site).

Obviously, there are lots of other companies, like software developers and other service providers, who have been breached – and those breaches have resulted in customers and other third parties being breached as well. One good example of this is Equifax, who lost control of the personal information of about half the adults in the US in 2017. When something like that happens, there’s lots of speculation about what will happen to the company’s stock price, or whether they’ll even survive as a going concern (some companies have gone under because of a cybersecurity breach). There’s even more speculation about the size of the settlement the company will make with its customers – with the presumption that once that settlement is agreed to, the incident is over and the company can begin to heal and grow again.

Because SolarWinds software managed the networks of so many important government agencies, and because the Russians had 6-9 months to root around in those networks, exfiltrate data and plant malware, it is likely the total cost of these breaches will never be known; but it will definitely be in the billions of dollars.

So there’s no question that this is no longer SolarWinds’ problem; this is the US taxpayer’s problem. Maybe there will be a settlement that will allow SolarWinds to stay in business; maybe there won’t, and SolarWinds may have to go through bankruptcy, be sold for a song, or liquidated. But none of those alternatives will come close to making taxpayers whole.

Clearly, SolarWinds was in fact a critical infrastructure operator, since the operation of a lot of the federal government depended on their good governance – and that proved elusive. What other service providers and software companies are in their position? I’m not sure – probably not many. Unfortunately, the Russians seem to have identified perhaps the single most critical of all critical infrastructure providers – long before we did.

There needs to be cybersecurity regulation of all critical infrastructure organizations, not just the ones who produce and transport natural gas or electric power.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment