Security Alert: Securing Supply Chain

Wednesday, May 11, 2016 @ 06:05 PM gHale


By Gregory Hale
Security awareness is sweeping throughout the manufacturing automation sector, there is no doubt about it, and getting your house in order is the top priority, but that is hardly the end of ensuring a secure environment.

In this era of partners, suppliers, third party vendors and open communications, it is inevitable that security in one of those organizations along the supply chain could be weak.

Just ask Target or the victims of the Dragonfly/Havex attack.

RELATED STORIES
Answers on How to Secure Supply Chain
ICSJWG: ‘Need to Rethink Game Plan’
German Nuke Infected with Malware
Gold Mining Company Hacked
Ransomware Attack Hurts MI Utility
Hack Attack Plan Thwarted

“The supply chain represents one of the greatest risks to industrial control systems today,” said Joel Langill, ICS cyber security expert and founder of SCADAhacker.com. “During recent years, there have been significant events that have shown how not only the supply chain, but the ICS vendor supply chain can be successfully exploited. The Slammer infection at Davis Besse Nuclear Power Station was a text book case of the potential of this attack vector dating back to 2003. However, recent attacks should have served as a reminder of the potential that these threats pose asset-owners of all sectors.

“The 2012 breach of Telvent demonstrated that attackers can leverage asset-owner remote connections and additional intellectual property possessed by a vendor to facilitate unauthorized access to critical assets. In 2014, the Dragonfly/Havex campaign took a different approach, and showed that due to insecure vendor security practices within their own infrastructure, legitimate software could be altered thereby having asset owners, integrators, and the like download software they believed was safe and ‘trusted,’ but actually contained backdoors allowing not only remote command and control, but also the ability to enter systems through would-be secure encrypted tunnels.”

The Dragonfly/Havex attack should send a shiver down the spine of any user in the manufacturing automation sector. It took trusted vendor/user relationships and turned it on its head.

Supply Chain Attack
“We know that Dragonfly/Havex was a supply chain attack against the vendors of industrial remote access and imaging products,” said Eric Byres, security controls expert. “The suppliers that were compromised (i.e. eWON, MB Connect Line and Mesa Imaging) by the Dragonfly attackers were not the intended targets, but rather just the conduit to larger, valuable targets, likely one or more major EU pharmaceutical companies. The attackers were able to successfully replace legitimate installation software on these three vendors’ support sites with software that included malicious components, namely the Havex malware. In other words, malevolent content was bundled into a software package that most in the ICS world would consider ‘trusted’ since it was obtained from a credible source. Once the infected packages were installed on the plant floor, the attackers had full access to the end-user’s entire VPN and/or imaging infrastructure and all ICS assets secured by it. This attack highlighted the potential of using trusted supply chain vendors to deliver malicious payloads directly to difficult to reach endpoints, such as PLCs and PCs hidden behind firewalls or data-diodes.”

The supply chain, though, has multiple aspects.

Answers on How to Secure Supply Chain
It is a given the supply chain could be a security issue for end users, but talking about it and doing something about are two different things.

While the issue can be a major problem, it is also manageable.

“The more astute users are thinking about their supply chain and making sure they remain secure,” said John Cusimano, director of industrial cybersecurity at safety and security integrator, aeSolutions. “There are standards in IEC 62443 that address supply chain in a couple of ways. The one that would address third party suppliers like system integrators making sure they are properly securing the information they may have about your control system is covered in the standard 2-4 which talks about suppliers’ security practices. While it is not perfect, it identifies the requirements asset owners should put on their suppliers to make sure they are at least following best security practices regarding the information they are being entrusted with. If people are looking for guidance on what to do about securing vendors or suppliers that would provide a good starting place.”
More

“There are two parts to the issue. There is the supply chain in terms of the products you are getting getting from your vendor and the supply chain in terms of outside service companies like systems integrators and both are things you need to be concerned about,” said John Cusimano, director of industrial cybersecurity at safety and security integrator, aeSolutions. “The example of Target where the hack came in via the HVAC vendor. There are plenty of examples where the way in was directly through the service provider. With Stuxnet, the way in to the Iranian nuclear facility was through a third party contractor.”

Confidence Not Strong
End users’ confidence in partners and suppliers’ security is not very strong these days, according to one survey.

Along those lines, 47 percent of respondents in the survey said they are not confident in the security of their business partners and suppliers.

That flies in the face of what companies are saying about themselves where 81 percent of IT professionals are confident in their ability to protect sensitive customer data, according to the study conducted for Tripwire by Dimensional Research. Study respondents included over 320 IT professionals who have visibility into the security of their organization’s supply chain.

“I notice that 81 percent are confident in their own capability, but 47 percent lack confidence in their partners,” said Eric Knapp, chief cyber engineer & director of global solutions at Honeywell Process Control. “That 81 percent worries me because that to me smells like over confidence, with some blame thrown in for good measure. If I could offer the 81 percent some advice, it would be to truly scrutinize their own capability, because if that includes policies that allow using insecure partners (as the survey suggests), their own capability isn’t as nearly good as they think it is.”

Human Factor
Along those lines, humans play a big part on the whole issue.

“I think the human factor is a big issue,” said Yoni Shohet, chief executive SCADAfence. “Suppliers are getting a lot of trust from the end users and they are being allowed to perform operations that end users do not have the capability to assist them and understand the consequences. In the German nuclear plant incident where they found malware. The malware was introduced into the environment by a technician via a USB stick, but they didn’t know the power of the malware. The technician inserted a USB stick and started to spread the malware inside the environment and it affected 20 devices. Even in an air gapped environment, there will always be contractors and technicians coming from the IT world from the outside and connecting some kind of device to the network. That is a huge job companies have to start assessing, especially when you are talking about the supply chain because they have so much of the environment being based on these operations by their industrial vendors.”

“Everyone has to consider the entire supply chain – both in the hardware and software they use and, perhaps more importantly, the people they use,” said Graham Speake, CSO at Berkana Resources Corp. “There will always be a risk when you purchase anything and some things you will have limited resources to do anything about. If we consider the hardware and software we use, there is likely not any entity, barring perhaps a government, who will be able to exhaustively check that the firmware in a system is correct, no backdoors in the software, no hard coded passwords. An end user needs to rely on the good security practices of the supplier, and only buy from a reputable company and authorized supplier. While savings may be achieved by purchasing gray imports or from second tier suppliers, the effective chain of custody of that device may not be able to be verified. End users should ensure they are purchasing from authorized dealers and register devices with the original manufacturer, who may spot an anomaly in the device.

“With the increase in partnering between companies, end users are relying on vendors more to diagnose faults, optimize processes and support control systems from afar, saving travel and expense costs. However, this relies on the supplier having security policies and practices as good as if not better than the end user. It is difficult to manage this process, and to ensure that the supplier is maintaining the desired security. The end user needs to lean toward assuming there will be a lower level of security at the supplier and add in extra controls to mitigate against this (where to land a VPN, restrictions on vendors connecting laptops to control networks, etc.). I have seen on many occasions where a control network segment was compromised by a ‘trusted’ partner’s virus-infected laptop. Additionally, end users need to build into initial contracts and RFPs that suppliers will meet certain security criteria – perhaps even looking at the IEC 62443-2-4 standard as a good benchmark.

Communication, Communication, Communication
In the end, it truly becomes an area of communicating the security message up and down the supply chain because attackers don’t follow any rules and if the intended victim makes it easy, then all bets are off.

“We all realize that the capability of would-be attackers is increased at an alarming rate, and that the malicious intent of their actions is also rising,” Langill said. “What is alarming to me is the complacency that I observe with many ICS vendors that have been granted ‘default trust’ by asset owners and customers. Many of them fail to provide sufficient digital signatures of their software, yet effectively force their customers to download software and patch the critical control systems to address functionality and security related problems. Even if they are not able to sign their code base, I would have expected other methods of insuring software authenticity through the use of digital hashes or other similar methods that could be shared with their users via ‘out-of-band’ methods like telephone or email. This blind trust leaves asset-owners susceptible to a wide range of simple to sophisticated attack vectors that either originate or pivot through their key suppliers.

“It is time that vendors and consultants alike realize that an attacker is going to take the path of least resistance. Rather than trying to pound down the front door of a critical infrastructure asset, it is far easier to find a window that has likely been opened by a key supplier.”