Guest post from the ICS cyber security blog:
Lessons from the SolarWinds incident in Hungary
30 January 2021 – icscybersec
It’s been more than a month since we have been aware of the true gravity of the SolarWinds incident. Unfortunately, this time does not seem to have been enough for domestic critical infrastructure companies and the relevant public authorities to start discussing coordinated measures to protect against future attacks of a similar nature and scale, partly against the supply chain and partly against network management and monitoring solutions.
As a first step, all organisations, but in my view especially critical infrastructure organisations and (of course) those involved in public administration, should carry out a supplier risk analysis. The NIST publication Cyber Supply Chain Risk Management provides some pretty good guidance on this. In addition, some argue that there are three areas where action can be taken relatively quickly to reduce the risk of similar attacks with noticeable impact:
- managing the software supply chain – Most organizations do not have a good understanding of exactly what is being delivered to them by the companies that develop custom software or sell/deploy out-of-the-box software products for them, but even if they have the capability (perhaps one in 1,000 customers, if they can), developers and integrators are generally not interested in making their own processes as transparent as possible to customers. This is necessary to prevent or at least reduce the impact of supply chain attacks. On the one hand, it is advisable for the customer to use all means of influence in the negotiations to persuade the supplier to comply with the transparency requirements it considers important, and on the other hand, this kind of transparency can be created on the basis of industry best practices and (in my opinion, especially for domestic organisations classified as critical infrastructures) the requirement of BM Decree 41/2015 (full and transparent documentation of the development process).
- Threat detection based on behavioural analysis
If we consider that attackers are usually not familiar with the systems under attack, we can understand why behavioural analysis can be a good tool for detecting different attacks. According to some reports, the first discovery of the SolarWinds incident (the event that triggered the FireEye investigation) was an unusual remote user login from an unknown device and a suspicious IP address.
- Data download prevention and detection
If all other security measures have failed, you need to be able to quickly identify when your organization’s valuable data is about to be unauthorizedly leaked outside your company’s systems. Many organisations are doing well in this area (from a strictly technical point of view) (in the SolarWinds incident, several companies were found to have logs that contained indications of data theft), it was just the handling of alerts that was poor (they were virtually ignored). This also shows the truth of the old adage in IT security operations circles that the various vendor miracle solutions alone will not protect organisations from security incidents and events, good solutions need to be accompanied by very good and experienced security analysts and well-designed, well-rehearsed and regularly tested (and fine-tuned if necessary) procedures that are at least as (or more) sophisticated.
It remains to be seen whether the SolarWinds incident will be the same milestone in supply-chain attacks as Stuxnet was in ICS cybersecurity, but I personally expect to see more large-scale supply-chain cybersecurity incidents in the near future.
***
The original guest post was published on the ICS cyber security blog.
Translated by DeepL.