In the original Star Trek episode “The Trouble with Tribbles,” an unscrupulous merchant, Cyrano Jones, gives a small furry animal called a Tribble to communications officer Uhura. Uhura takes the Tribble aboard the Starship Enterprise where the animal begins to quickly reproduce, thereby threatening to overrun the ship and cause significant damage. This episode is a great lesson in cyber security and supply chains, and a great way for us to communicate about the risks we take on when we don’t evaluate what we are bringing into our own enterprises and who is providing them. A recent article by Deloitte, Managing cyber risk in the electric power sector, Emerging threats to supply chain and industrial control systems, goes into great detail about the evolving attacks targeting systems that generate, distribute and govern power generation. The energy sector is considered critical infrastructure for good reason. When the power is out, especially over a wide area, it can impact safety, the economy and national security. Protecting that infrastructure is in the interest of the companies operating the system, as well as the communities that need this vital resource. Doing so, however, is becoming increasingly difficult, as attacks have become more sophisticated and the attackers are now as likely to come from nation-states as organized crime. Traditional methods of attack have often started with a phishing attempt. The first known successful attack on a power plant was initiated via spear phishing, which allowed the attackers to steal credentials to Ukrainian power facilities. With those credentials, the attackers could then remote control computers and breakers, causing a large regional outage. The attack didn’t stop there; phone lines were jammed, causing a denial of service for legitimate customers attempting to report the outage and seek information or help. (For a more detailed report of this attack, see the ICS-CERT report Cyber-Attack Against Ukrainian Critical Infrastructure or this less clinical version from Wired – Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.) Phishing remains a top concern for every organization with an email server, and now another vector has arisen that is even more insidious – malware distributed via the supply chain. Deloitte explains this risk by providing examples, such as a 2017 attack targeting the industrial control systems (ICS) of a Saudi petrochemical plant. This attack was intended to cause physical harm and could easily have resulted in the deaths of employees onsite had the malware not contained a bug causing it malfunction. The malware was contained on controllers which were vulnerable either directly from the manufacturer or via a firmware update. Both vectors are “allowed” and without proper oversight are ways for attackers to easily bypass traditional security controls.
Securing the Industrial Supply Chain
If ICS and other supply chain vectors are now more critical to infrastructure and more vulnerable to attack, what can be done to protect organizations against malware? Let’s return to the tribbles to see what detective and preventive controls the crew of the Enterprise could have employed to protect their Starship. Starting with procurement, Uhura accepted a gift without any due diligence on either the vendor or the product itself. Sure, tribbles are cute, fuzzy and make appealing noises, but are they suitable pets allowed by Starfleet policy? Had Uhura done her research, she would have known that Cyrano Jones could be charged with transporting a dangerous animal off its native planet. Applying this to the real-world, it’s vital that organizations perform vendor risk and security reviews for all vendors and do the same for the products they are purchasing. For products, it is especially important to know of any outsourced or open-sourced components used in its construction so additional reviews and monitoring of those components can be performed. The next layer of control that failed was upon entry into the perimeter. The tribble was allowed to be transported onto the Enterprise without scanning it for potential harm or identifying it as a potential risk. Surely, this dangerous animal was listed in the Enterprise’s database! Vulnerability assessment and ongoing vulnerability scans are vital for continuously monitoring risk. Employing a way to evaluate ICS and its components for vulnerabilities is vital for protecting critical infrastructure. Monitoring needs to be ongoing in order to evaluate firmware updates and identify any new vulnerabilities discovered in third-party components. Finally, employing detective controls would have spotted the danger to the Enterprise earlier. The number of unexpected lifeforms was increasing rapidly, and a simple visualization of the number and rate would have shown the warning signs. One can assume the security team updated their monitoring dashboards after this incident. In an industrial or IT environment, there is an expected state with normal change and data flow. When an unusual event occurs or there is an unexpected deviation from the norm, this should trigger an investigation and possibly corrective action. Understanding change and how to manage it is another layer of security to add to increasingly connected and complex industrial environments.
Conclusions and Next Steps
This overview has only scratched the surface of managing cyber risk in the industrial context. I recommend reading the Deloitte report for a deeper analysis and recommendations. One thing that is a consistent theme across all risk domains is that Security is a Team Sport. It isn’t just the realm of security professionals - everyone from procurement to operators are responsible for protecting the company. Another consistent theme regardless of IT, OT or industrial cyber security is that the CIS Critical Control framework is broadly applicable. For instance, understanding what assets are in your environment, their criticality and whether or not they are authorized to be there remain important considerations in the data center and power plant. While it may be easier to add a device to a network than install an ICS, having an inventory is still a valuable control. Finally, Tripwire has a number of solutions that provide detective and preventive controls for industrial systems.