Security teams began 2021 on high-alert, following a year of unexpected pandemic challenges and one of the most notable supply chain attacks to-date. While the SolarWinds attack posed the greatest threat for high-value targets across government, critical infrastructure, and the private sector, the impact of the attack far exceeds the list of organizations affected. The event initiated a global reckoning with the cybersecurity risk that organizations have implicitly accepted from their supply chain. This realization is especially timely as the distribution of Covid-19 vaccines has begun.
The SolarWinds attack drew significant attention because it was unique. Rather than target a specific organization, the attackers inserted sophisticated malware into signed and released updates to SolarWinds network management product, which allowed them to compromise multiple end users of the software. In this instance, SolarWinds unwittingly became the supplier of malware to organizations within its customer base, making the threat impact exponential. This type of attack simply wasn’t part of many organizations’ threat models.
The concept of large-scale supply chain risk isn’t new, however. Organizations deal with supply chain risk all the time, and cyber attacks that impact supply chain aren’t unheard of either. We’ve seen numerous cyber attacks that directly impacted organizations through their supply chain over the last five-or-so years. Let’s look at a few examples.
- In June of 2017, Danish shipping company Maersk was subject to mysterious-at-the-time malware that required IT staff to disconnect its entire global network, which represented close to a fifth of the world’s global shipping capacity. Researchers determined that the now familiar malware, NotPetya, was set in motion by a group of nation state attackers that used two powerful exploits to irreversibly encrypt computers’ master boot records. The attack spread far beyond the Maersk occurrence and ultimately impacted organizations around the world, including hospitals, pharmaceutical companies and food producers. Maersk, in particular, had to halt much of its shipping business, impacting a multitude of organizations that rely on those containers showing up on-time.
- In the same year, Renault-Nissan was hit with a cyberattack involving the WannaCry ransomware that halted production at five plants located in England, France, Slovenia, Romania, and India. The affected plants were forced into a weekend-long shutdown while the company disconnected infected plants from the network. Renault-Nissan supplies vehicles, of course. While we might think of them as an endpoint in the supply chain, there are numerous organizations that depend on them as a supplier as well.
- Early last year, Norsk Hydro, a multinational aluminum manufacturer with operations in 40 countries, was the victim of a major cyberattack involving the LockerGoga ransomware. The attack compromised multiple business systems which forced the company to close many of its plants and move others offline. Aluminum manufacturing is a classic example of a supply chain business.
Needless to say, the above attacks all had significant effects on the organizations targeted, as well as follow-on impacts to their customers. It’s also worth noting that these events are all connected to large, publicly disclosed ransomware incidents, which makes them more visible than a targeted attack. We also know that history tends to repeat itself, which reinforces the importance of learning from these events and taking the necessary steps to protect supply chains. Being in the midst of a pandemic is no exception.
The Covid-19 pandemic has presented a new supply chain to threaten, one that has visceral impact for both organizations and consumers – vaccine roll out. From ingredient sourcing to manufacturing and distribution, there are multiple functions that have the potential to be impacted by a cyberattack. In early December, we saw initial threats to the vaccine supply chain through a sophisticated global phishing campaign and later, hackers stole vaccine data from pharmaceutical giant, Pfizer.
For the numerous organizations involved in the distribution process, it’s important to examine how to better prevent large scale threats to supply chain from being realized. The majority of cyberattacks, like the vaccine phishing incident, are not sophisticated, complex campaigns. Attackers will generally take the path of least resistance, and that means that basic security hygiene and planning ahead can help mitigate the majority of attacks. Security teams should start by evaluating and strengthening the basics. There’s plenty of detailed guidance available from organizations like the Center for Internet Security, but the following is a good place to start:
- Start with Visibility: You can’t protect what you don’t know about. Even if you think you’ve got a good asset inventory, it’s likely that you have blind spots. There’s exponential growth in network connected devices. And don’t forget about the assets outside your proverbial four walls for which you’re also responsible. Your cloud provider isn’t responsible for the assets you deploy in their infrastructure.
- Baseline the Environment: Once you know what assets you have, gaining visibility into how they are configured (and misconfigured) is a solid next step. Misconfigurations give attackers easy points of entry and facilitate lateral movement inside the environment. Establishing a good baseline for configurations allows you to then secure those configurations.
- Up-Level That Baseline: Pick an industry standard to use as a guide and start a prioritized project to implement more secure configurations. Determine which misconfigurations are the most impactful to your organization. Making consistent, incremental progress in locking down configurations will make the attacker’s job harder.
- Address Vulnerability Risk: Finding, prioritizing, and remediating vulnerabilities is a never-ending, but important process in reducing risk. The key is to prioritize what you choose to address. No organization can address every vulnerability discovered by most assessment tools, but vulnerabilities present different levels of risk. Build a process that identifies the most important vulnerabilities and works to address them.
As an organization you’re not just responsible for securing your own assets. You’re also expected to be a responsible member of the supply chain. Implementing the basics well helps everyone involved in your supply chain ecosystem. Processes like asset discovery and secure configuration management might not represent the tip of the technological spear in cybersecurity, but they are among the most consistent, effective means of reducing risk.
Tim Erlin, vice president of product management and strategy, Tripwire