Is There Hope for ICS and Supply Chain Security?
Industrial control systems (ICS) have been the target of countless cyberattacks in recent years. Some of these attacks have an extortion goal in mind, while others seem to be nothing more than a test to see if the attacker is able to access and disrupt systems. As malicious actors become more clever in their tactics, we are also seeing an increase in supply chain attacks, complicating matters even further. As cybercriminals find new ways to improve their attacks, is there any hope of protecting our industrial networks from future attacks?
Industrial Control Systems Security
NIST has published a Guide to Industrial Control Systems (ICS) Security that outlines the improvement of cyber protection measures in industrial networks. While this guide is a fantastic start to protecting industrial networks, it has one glaring hole in its focus: the industrial supply chain. When most people think about ICS and industrial organizations, what comes to mind is machinery and manufacturing equipment. It is easy to think of these as independent devices, with no connection to any other devices in the company, but this simply isn’t the case. Most industrial equipment these days is connected to a network, allowing for monitoring and firmware updates. Both of these aspects usually rely on software provided by an external company.
In the wake of recent attacks, like the SolarWinds Orion update attack or the Accelion FTA attacks, it is natural to start wondering who you can trust and how you know you can trust them. The fact is, every company writing their own software is unrealistic, and often doesn’t make sense even if a company has the necessary resources. This is especially true for industrial organizations that rely on equipment provided by other companies to perform the basic operations necessary for their daily tasks. It may be possible to keep equipment off of the network and only update via sealed CDs received from the manufacturer, or even updates provided digitally, by copying the updates to a USB stick and updating systems offline. What this doesn’t guarantee is that the software you are loading onto your equipment is what you think it is and that it is secure.
Increasing Supply Chain Transparency
The way to move forward is through increased transparency. While your organization may not be directly auditing the code you are provided, your suppliers should be able to indicate what measures they are taking to ensure the security of their systems, and to verify the authenticity of the code they are providing. Insisting on chain of custody documentation can also help to ensure that the software being provided has not been tampered with. There are even good arguments for using Blockchain technology, along with a cryptographic signature, for data validation. Combined with transparency from your suppliers, these additional measures ensure you are provided with exactly what you are expecting from your suppliers.
Industrial equipment, as a category, includes components that most people don’t consider; things that you might find in most organizations. If you have a network, then you have modems, routers, switches and workstations, at a minimum. It is not only important to protect your industrial equipment, but also the common computer and network systems attached to your networks. Taking measures to create network segregation between industrial equipment and the workstations and other devices will not only limit your potential attack vectors, it helps to ensure that a successful attack has a minimal impact on business operations.
Office and network equipment will also need to be kept updated with the latest security patches, and staff must be trained in how to identify unusual behavior on any systems used within the organization. This extends beyond unusual behavior from equipment to common attack vectors like malvertising and phishing campaigns. It is not uncommon for an attacker to use these methods to gain access to a network, then pivot from the entry point to implement their final attack.
In a time when attacks on industrial control systems and supply chains are increasing, industrial organizations must be more vigilant than ever in protecting their networks and equipment. Keeping all systems updated with the latest security updates is critical in maintaining a secure network, and demanding transparency and utilization of modern technologies from suppliers, will go a long way toward preventing future attacks. The way to stay a step ahead of would-be attackers lies largely in communication and diligence. There is hope of warding off upcoming attacks, but only if organizations have good two-way communication with their suppliers and employees, and are vigilant in their security and update requirements and processes.
