ICS cyber security blog guest post:
Guest post I: The relationship between two unrelated cases
16 January 2021 – icscybersec
Shortly after the launch of the blog a little over 5 years ago, the question arose: should I also give the opportunity to guest post? I liked the idea, yet, for various reasons, I had to wait until today for the first post that I didn’t write. Without further ado, here is the first guest post, written by my colleague GéPé:
Taking a helicopter view of the events of the past months, I would like to highlight two developments that are distant from each other – at first glance seemingly unrelated: the presidential order of 1 May last year (declaring an energy emergency in the US, E.O. 13920) and the SolarWinds/Orion case of December.
The President’s order identifies certain foreign actors as posing a national security risk to the US transmission grid, whether as suppliers, owners or operators, and whether they have already installed or will install certain electrical equipment. While no concrete public evidence is available, the winds are blowing with reports that some kind of “factory built-in” vulnerability, a hardware backdoor, may indeed have been found in the electronics of a Chinese-made transformer seized at the Port of Houston in 2019 and then delivered to Sandia National Laboratories in Albuquerque. The “something is up” feeling is reinforced by the fact that in December, in the midst of the scandals surrounding the presidential election, and not waiting for the inauguration of the new president, the DoE urgently and formally banned the installation of specific Chinese-made products (including transformers!) in power plants feeding US national security sensitive facilities.
And in the SolarWinds case, it is not an allegation, but a proven fact that a foreign power is able to access a new version of the Orion application before its release. It was able to install a backdoor which, when updated with the new version, was installed undetected and unhindered by the update unsuspectingly – and rightly so! – correctly and correctly, into the systems of the companies performing the update. As is well known, the IT systems of many sensitive US government organisations were affected. Analysis of the details of the attack, damage assessment and the definition of actions are still ongoing and it is expected that much more information will only be available in the future, if at all…
And what links the two events? Well, they both concern the supply chain. In addition, both cases could involve highly innovative attacks that “easily” bypass existing lines of defence. Because who would think that the continuity of electricity supply could be threatened by a hardware backdoor “factory-installed” in the so-called cooling automation of a transformer, for example?! Or who would think that a software upgrade designed to increase reliability could “open the door” to an attacker in a previously unimaginable way?!
So far, neither of these cases has been realistically conceivable. And lo and behold, both may now be a reality.
It is as if life is beginning to prove Joe Weiss’ warning, at first sight seemingly steep, about backdoors bypassing the ‘Maginot lines’ of IT – with a pronounced OT – systems. After all, in both cases mentioned, the current means of protection are ineffective.
So here we are! It does not hurt if those who are doing this now do so with greater paranoia. Because as we all know, just because you’re paranoid doesn’t mean you’re not being persecuted…
P.S.: the consequences of the Solarwinds/Orion case are also unforeseeable, because it gives an argument to the operators of OT systems, who are not known for their frequent updates. In other words, the chances that known vulnerabilities will be addressed at an even slower pace are increased. If at all… So I’ve missed this case like a glass ceiling…
The original guest post was published on the ICS cyber security blog.
Translated by DeepL.