Supply Chain attacks are something to watch out for
In the recently published Abhisam Industrial Cybersecurity Report, we had mentioned supply chain attacks, as something to watch out for in 2021. We never imagined that we would be so right. As the year 2021 progresses, we are witnessing increasing incidents of supply chain cyberattacks.
These supply chain attacks are pretty broad in scope and are not just related to the Industrial Control System devices, such as DCS controllers or SIS Logic Solvers but also COTS IT network components such as Routers, Switches and so on.
What are Supply Chain attacks?
A supply chain attack happens when the components that make up the IT system (or the OT system), are attacked like the famous Solarwinds attack.
Solarwinds is a software company that sells network management tools. Solarwinds own servers got attacked and these servers began updating their customer’s computer systems with software that had malware. Since the Solarwinds update service was kind of “vetted” all updates were taken at face value and accepted by their customer’s software systems. This resulted in their customer’s systems being infiltrated by the malware. This is a classic example of a software supply chain attack.
A hardware supply chain attack can also happen, if the hardware that goes into customer’s systems is compromised. For example, a managed Ethernet Switch could be having malware inside it, or it may be completely counterfeit with functionality and appearance similar to the original, but with backdoor access that may be invoked anytime in future.
Here’s an incident where many counterfeit CISCO switches were found. https://www.techzine.eu/news/infrastructure/48461/hundreds-of-counterfeit-cisco-switches-may-have-been-sold/
This lot did not seem to have malware inside, but what’s the guarantee that similar counterfeit switches will not have them?
ICS Security implications due to Supply Chain attacks
Now let us see what are the implications on ICS Security due to supply chain attacks. Before we proceed, here is a recap of ICS system architecture, for those who are not familiar with industrial control systems.
Automation System Hierarchy
Most modern Industrial Control Systems (ICS for short) have several layers, with the bottom most layer being the field instruments (sensors, transmitters, actuated valves, etc) and the higher levels being Engineering Stations or Process Historians and so on, that are more tightly integrated with business IT systems. This is as per the Purdue Model, also known as the Automation System hierarchy. In this model, the lower level devices that are in the field (or on the factory floor), are connected to higher level systems such as DCS or PLC controllers, which are in turn connected to even higher level devices such as Engineering Workstations, Operator Workstations and Data Historians. These are in turn maybe connected to business IT systems such as Enterprise Resource Planning (ERP) systems or Warehouse Management Systems.
OT System Cyber attacks
ICS are supposed to be OT (Operational Technology) systems, whereas business systems such as ERP can be said to be part of IT (Information Technology) Systems.
When we talk about ICS Security related cyberattacks, we think only about the various components that are directly part of the ICS such as PLC Controllers, or SIS Logic Solvers and DCS Communication Processors. However, the higher level components of an ICS such as Data Historians or Advanced Process Control Stations may be more tightly integrated with the business IT systems and thus may be vulnerable to all cyber attacks on the business IT system, including supply chain attacks.
Either the OT system could be affected due to to a successful (from an attacker’s perspective) attack on the IT system, due to this tight integration OR it could be rendered unusable even though it is not directly affected.
This is what seems to have happened in the recent Colonial pipeline cyber attack. Colonial’s IT systems were the target of an attack by ransomware seeking criminals, but due to this, the company had to shut down it’s OT systems as well, leading to shutting down their entire pipeline network that supplied gasoline and diesel to the US East Coast.
Supply Chain Cyber attacks on ICS
In the context of ICS, the vendor’s supplier who may be supplying components such as managed switches or SCADA modems that may have malware inside them.
If this indeed happens, the ICS vendor’s customer, who may be a chemical manufacturer or an Oil and Gas company, now has malware residing inside it’s premises, that came in through the ICS.
There are two ways that such malicious components sitting in the ICS can affect the user. Either the perpetrators may be able to remotely hijack and shut off the ICS itself via these booby trapped devices OR they may be able to route malware from these components into the business IT systems.
Most Industrial Cybersecurity recommendations are based on the assumption that malware can only enter the ICS via the internet facing business IT systems and hence there are data diodes, that allow only unidirectional data flow from ICS to IT systems.
But what if the reverse could also be true? What if the ICS components harbor malware which could be injected into the business IT systems? Then the data diodes will not prevent this from happening.
People in charge of OT cybersecurity should keep the above possibilities in mind when planning possible cyber attack scenarios. Cyber risk assessment for control systems such include this.
Where to get more information about ICS Security?
You can refer to the Abhisam Industrial Cybersecurity resource page here.
Also you can start by taking the Abhisam Industrial Cybersecurity e-learning course that covers all aspects of OT security including basic concepts of Industrial Automation and Control Systems, differences between IT systems and ICS, understanding Industrial cybersecurity standards such as IEC 62443, various ways in which to protect your OT systems and more.
You can participate in the Abhisam Industrial Cybersecurity thriller, where you get the be part of the Red Team or the Blue Team and get to know all aspects of Industrial Cybersecurity.