Supply chain attacks are inevitable. History has shown that at some point in time an adversary will compromise a supplier. In fact, there have been numerous examples of this in the last 12-18 months — a prime example being the SolarWinds incident.
A recent Dragos analysis of MITRE ATT&CK for ICS initial access techniques indicated that at least six Dragos-designated threat groups utilized supply chain attacks to facilitate initial access into their target environment. The specific threat groups using this technique include: ALLANITE, CHRYSENE, DYMALLOY, HEXANE, RASPITE, and XENOTIME.
As examined in the Dragos blog, Software in the Supply Chain: The Newest Insider Threat to ICS Networks, software and supply chain dependencies can pose a real threat to industrial organizations. Specifically, certain software is effectively designed, marketed, and sold to perform functions such as securing networks and keeping track of secured assets. As a result, the software’s privileged position within a customer environment can be exploited by an adversary.
Additionally, while software updates and routine patching are mechanisms adversaries frequently abuse, these are not the only potential entry vectors in a supply chain intrusion. Original equipment manufacturers (OEM), vendors, and third-party contractors could also provide an ingress into ICS/OT environments through compromised or poorly secured direct network connections and remote access software. One of the more notable examples in an ICS context was XENOTIME’s compromise of ICS vendors and manufacturers, which posed a supply chain threat with the potential to facilitate vendor-enabled access to target ICS networks.
However, even in cases when a supply chain compromise is not the adversary’s primary intent or objective, adversaries can still discover valuable customer information through a supplier compromise. This information can include troubleshooting tickets or other technical information, which the adversary can leverage to enable future attacks against customer networks. This can also occur when criminal operations employ data extortion techniques and leak the associated data of a supplier — a technique often leveraged by groups such as the Conti ransomware group.
What Can Be Done? Ask the Relevant Questions.
Typically, a significant amount of time and emphasis is placed on assessing a supplier’s operational viability. However, too often the associated third-party security risks are not adequately understood, potentially introducing substantial (and unknown) risks into the customer’s environment.
In addition to adopting a multi-layered approach to cybersecurity that encompasses both IT and OT environments, Dragos recommends that organizations have risk-orientated discussions with potential and current suppliers.
While the following questions are not a complete list, here are ten questions customers should ask vendors and suppliers as an integral part of their third-party security reviews:
- What degree of third-party access to customer OT environments is mandated post-installation of the software? Also, what is the base level of connectivity required to maintain functionality?
- Is the organization aligned to any of the prevalent security compliance frameworks?
- Is a dedicated internal team responsible for the organization’s security function, or is it outsourced entirely? Importantly, is regular third-party penetration testing performed?
- Where is customer data stored – is all customer and company data stored together with the company’s infrastructure? Or is segmentation involved?
- What security technologies are in place (such as firewalls, vulnerability management, asset visibility, and endpoint security)?
- What software development security practices are being implemented, including the identification of applicable security requirements in early design phases, and testing proper implementation throughout development and deployment activities?
- How are third-party packages within the vendor’s code base tracked, and what procedures and timelines exist for remediating identified third-party vulnerabilities?
- Are security updates and the patching of vulnerabilities (where feasible) applied on a regular basis?
- Are secure upgrade lifecycles supported, or is there a reliance on legacy, unsupported systems?
- Are there personnel security measures in place to mitigate the risk of insider threats?
Proactively asking such questions will provide a strong foundation for your third-party security reviews. This in turn will ultimately arm you with the necessary data to make an informed decision about any third-party risks that could be introduced into your environment, and of course, any associated mitigations that are required moving forward.
Ready to put your insights into action?
Take the next steps and contact our team today.