The Solar Winds attack of recent highlighted one very
important trend that is occurring now in the Cyber Threat Landscape: Supply chain attacks. When one first hears of this word, the images
of Cyberattacks to logistics such as FedEx or UPS often come to mind.
But what I really mean is that in these instances, the all
the Cyberattacker needs to do is literally find
one weak spot, exploit that, and from there, deliver the malicious
payload to thousands of victims.
In the case of Solar Winds, the Cyberattacker group was able
to infiltrate through the weaknesses that persisted in one of their remote
tools, and as the customers of it started to download the latest version, they
were totally impacted by the malware.
In fact there many victims in this scenario, ranging from
some of the major agencies in the Federal Government to some of the largest of
the Fortune 500 companies.
In fact, the finding of this increased trend has been
further substantiated of a recent study that was conducted by the Identity Theft
Resource Center, also known as the “ITRC”.
Their research project is entitled “ITRC 2020 Data Breach Report”, and
it was discovered that there was at least a 42% increase in the total number of
supply chain attacks in the first quarter of this year than ever before.
But now that breaking into digital assets seems to be the
norm now, and knowing that they are being more closely watched, the
Cyberattacker of today is going after something that is not so well kept
safe.
According to this report, they are trying to infiltrate the
actual hardware itself, focusing upon the legacy systems of Critical
Infrastructure, on a scale of devastation that could far surpass that of the
Colonial Gas Pipeline attack.
How is this being done?
It is being done in the firmware itself, and this has become technically
known as “Extensible Firmware Interface”, or “EFI”, kinds of Cyberattacks. Here are four plausible scenarios that are
quite likely to happen:
*IC Cloning:
This merely refers to the integrated circuit boards that
reside in your workstation, wireless device, or even your smartphone. The good news here is that this sort of
technology is advancing on a daily basis, and in fact, has really become quite
complex in nature. Thus, it makes no
sense for the Cyberattacker to target these items, because once they figure
that out, the technology has progressed to the next level of
sophistication. But this does not mean
that the integrated circuit boards of legacy-based systems cannot be a
target. For instance, when the Critical
Infrastructure was being built out in the 60’s 70’s and even the 80’s, the
thought of a Cyberattack never crossed anybody’s mind. Rather, the main security concern back then
was upon the physical access side of things, such as an impostor gaining access
to the controls. Thus, there is really
no security per se on these systems, which make them such an easy target. Even if a company were to attempt to secure
them from Cyberattacks, it is no easy proposition to undertake. The integrated circuit boards are deeply
embedded from the other hardware of the Critical Infrastructure, and because of
that, you simply cannot rip them out and put new ones in. Also, trying to implement newer layers of
security tools on them is also a dicey issue, as there will have to be a very
strong level of interaction between that and the integrated circuit board that
is being used.
*The degradation of the signing key:
This is actually part of the encryption process, and it used
widely in order to confirm that the message that has been sent from the point
of origination to the point of destination has indeed remained intact, and it
has not been altered or changed in any way, shape, or form. While this process
is deemed to be secure enough, the keys that are used are still at grave risk
being heisted by a Cyberattacker and compromised in such a way that a piece
malicious software can still look to be legitimate and safe to the end
user. In fact, this is how in part, the
Solar Winds attack actually took place.
This sort of integrity checking mechanism has traditionally been used
for the protection of digital assets, but it can also be used for hardware
components in the Critical Infrastructure also.
As a result, one of the fail safes that has been implemented is if one
of the keys has been compromised in any way, then the other key that was used
must be revoked, or put in simpler terms, should “self-destruct”. However, this is rarely tested on a real time
basis, and because of that, if it were ever to be used in an integrated circuit
board setting, it could take a very long time (we are talking weeks here)
before such a breach like this would ever be noticed.
*The threat of an insider attack:
I have written about this topic many a time before in
previous blogs. The bottom line is that
this kind of Cyberattack is extremely hard to detect until it is too late. You can screen and vet all of your employees
as much as you think is necessary, but there is no guarantee that a disgruntled
employee won’t cause serious damage to your legacy-based systems, especially
your integrated circuit boards. But of
course, this also hinges om the fact that have to really know what they are
doing, and are launching their attack in phases, in a covert manner. Also, there is a huge fine line that has to
be walked here, as you do not to spread paranoia in your company that “Big
Brother” is watching. Because of this,
many firms are now opting for implementing the Zero Trust Framework, in which
absolutely nobody can be trusted, until the are completely verified and
authenticated. In this regard, probably
one of the best lines of defense that you can implement is to deploy a 24 X 7 X
365 hotline, in which suspicious or abnormal behavior can be reported in an
anonymous fashion.
My Thoughts On This:
IMHO, attacks on Critical Infrastructure are only going to
get much worse than what we have already seen.
We really need to take the time to deploy some sort of protective layers
on them. But this does not mean that we
do things in haphazard fashion. Every layer
of security must first be tested in a sandboxed environment before is released
into the production environment.
If this is not followed my more mayhem and fallout could
happen because the interoperability simply did not exist, thus making a grave
situation even worse, by giving the Cyberattacker newer avenues in which to
infiltrate into the legacy based integrated circuit board.
No comments:
Post a Comment