When, many years ago, Defence Procurement of IT enabled systems in the U.K. underwent a change to a preference for Commercial Off The Shelf (COTS), it created an environment that brought defence organisations into the sphere of supply chain attacks. Cyber attacks via the supply chain have become ever more sophisticated.
When the NotPetya ransomware was launched via niche software required to do business in Ukraine, it signalled that even a small toehold could be used to cause chaos. Organisations such as the shipping giant Maersk lost billions in business, not to mention the cost of recovering their IT infrastructure.
Many wrote this off as an “obvious” attack, which if the affected organisations had configured their networks appropriately would have been contained. It was also pointed out that if continuous due diligence had been conducted on the updates to this third party software, the users would have noticed a change, and rejected it. Now, imagine an IT estate the size of a firm operating globally, having to use potentially hundreds of third party applications. Where do you not trust your supply chain and institute checks on every update, even those coming via the official channels as did NotPetya.
Matters became more complicated when the penetration of SolarWinds was discovered. Their Orion product was used to monitor and secure some of the most sensitive networks including government systems in the US. Let’s suppose you had an agreement with SolarWinds that you could access their source code and that you were permitted to check all new releases. Would you have spotted the attack? No. This truly sophisticated attack inserted the malware right at the point that the source code was compiled ready for distribution. It was only after digging deep into the SolarWinds network as a result of suspicions being raised when some networks spotted unusual activity that SolarWinds discovered the backdoor being inserted into their updates.
The SolarWinds episode raised an interesting question not just about detection of supply chain attacks but also about how trustworthy the data is being generated by tools that are supposed to be securing the network. Extrapolate this thought a little further and you realise that the data could be changed right up to the point it is rendered for human consumption: the app displaying data could be the weak link and distorting the data. This has happened since the earliest attacks such as Stuxnet where the centrifuges at Natanz were destroyed, though the system continued to report that all was well with the very hardware it was damaging.
The bottom line is that an organisation at least needs an asset register of which third party software it is using and where. The threat posed by each of those third party assets also needs to be analysed along with a plan for how they would be removed, often at speed, should a penetration of the supply chain be identified.
Fortifying the Frontlines: Data Resilience in Cybersecurity
26 April,12:00 pm – 1:00 pm • Don’t miss Prof. Steve Schneider’ live online event
More about the event