Lessons Learned From the SolarWinds Compromise

December 30, 2020

What Happened:

The world of cybersecurity was shaken on Dec. 13 when news broke about the compromise of multiple federal agencies including the Centers for Disease Control and Prevention, the State Department, the Department of Homeland Security, and parts of the Pentagon, along with the majority of Fortune 500 companies.

Investigation revealed a sophisticated supply chain attack against the SolarWinds Orion software, a popular IT monitoring and management platform used by tens of thousands of organizations all over the world. About 18,000 customers downloaded the tainted versions of the Orion platform that were released between March 2020 and June 2020.

Once those releases were installed, the malware activated and hid in network traffic as Orion’s native protocol called the Orion Improvement Program (OIP), allowing it to obscure its activity. Upon discovery, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive urging all federal civilian agencies to disconnect or power down immediately instances of the Orion software.

The Impact:

The impact on electric utilities is not yet known but there is high probability that some of the compromised organizations belong to the energy sector. Cybersecurity response teams have been working around the clock to identify whether they installed the compromised updates and which areas of their systems and networks could be affected.

NERC and the E-ISAC have actively engaged with industry partners to help address the situation. Dealing with supply chain vulnerabilities has been on the forefront for NERC with the introduction of the CIP-013 standard that became effective on Oct. 1, 2020. This standard requires electric utilities to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.

What We’ve Learned to Date:

This unprecedented cyberattack will have significant impact on the way organizations handle supply chain, system and network accesses, as well as incident response. We can already extract three important highlights:

  1. It is paramount for an organization to gain and maintain accurate visibility on their networks: which assets are installed, how those assets are configured, and how access policies are effectively segmenting networks into distinct zones. This visibility should extend to vendors that are directly connected to bulk electric system equipments.
  2. Organizations must follow a strict separation of duties and responsibilities with respect to IT and OT management and monitoring platforms. Having a single solution to both modify network rulesets and monitor architecture leads to singles points of failure.
  3. While the electric industry has been prepared for the possibility of supply chain attacks through recent regulations enforced by NERC, the magnitude of this incident shows that vendors and security teams alone cannot mitigate the risk entirely and it is crucial for organizations, vendors, and governments to work together towards improving the way we deliver and update software.

Next Steps:

In the short term, incident response and compliance teams should follow a step-by-step playbook to determine which systems are directly affected and the scope of the clean up and rebuilding efforts. In the longer term, organizations should evaluate their supply chain risk mitigation plan and ensure accurate real-time visibility on both their network firewall rulesets and in-depth traffic activity monitoring and logging solutions.