Supply Chain Threats to the US Energy Sector

Editor's Notes

• #2: At Kaspersky Lab, in the Technical Alliances group, we often develop cyber security material to suit the special needs of our partners. This presentation was created by request from OPSWAT – a US-based organization which provides scanning and security products for the Energy industry. They requested a presentation which would cover challenges for cyber-securing the supply chain, including compliance regulations and guidance (which currently exists for Nuclear and Electric).
• #3: Today we will take a look at how cybercriminals go about mapping supply chains and we’ll talk about the challenges inherent in securing any supply chain. Then we’ll discuss what resources are available in terms of guidance and the laws which currently exist in this area. Finally we’ll cover the ideal cybersecurity posture for an organization and the most important elements to consider when putting a plan in place to improve cybersecurity in this critical area.
• #4: This is an example of a supply chain for a secure energy facility. A determined attacker will develop just this type of map in order to select the easiest entry point. We can see that it’s not just our direct suppliers we need to be concerned with, but the suppliers to those suppliers (example: a company providing hardware components for products we purchase from a trusted reseller). Also, we should be concerned with providers of even basic services like facilities management if they have access to the building and/or they are granted network access (perhaps to submit invoices). These organizations may not even know they have been compromised or that the devices they have connected to your network are infected. A common tactic would be to launching a phishing attack against links in the chain which have much lower security standards than the secure energy facility. Threats can also come from within the supply chain itself when a malicious insider gets involved. When considering the breadth of your supply chain, don’t neglect connections with customers. One reason I like the nomenclature of “External Dependencies Management” (EDM, a phrase coined by DHS and Dept of Energy in their ES-C2– M2 document we will discuss later) is that it describes this entire picture, including post-supply connections such as those to customers. These links can also be compromised when they are bidirectional.
• #5: Cybercriminals will conduct reconnaissance on key targets to determine who we are connected to and who is connected to us. This will establish a set of potential entry points which are easier to hack than attempting to enter through a highly secure network. When we advertise jobs the company is trying to fill, the more specific we are with regard to requirements, the clearer it becomes as to what hardware, software or systems the company runs on. This provides explicit targets for cybercriminals. The same information often shows up in employee or ex-employee profiles, company blogs, and RFQs. Sometimes suppliers publicize the nature of their relationship with a secure facility, making themselves (or their suppliers) targets as well. In the case where a cybercriminal “gets lucky” and only realizes after hacking a supplier that there is a connection from that organization to a secure facility, they have the option of selling that access on an underground market where everything has a price and can be put up for bid. A more specialized cybercriminal will then take over where the opportunistic one left off.
• #6: It always helps to raise awareness within the company of the fact cybercriminals are seeking information to assist them in developing more successful attack plans. Where it’s possible for HR or employees to use more generic terms to describe the systems they work with, that would be better for the company (it can help to provide employees with suggestions). Assigning someone the task of receiving google alerts when your company name is mentioned or subscribing to a service which crawls websites looking for company branding can alert you to instances where suppliers are tempted to use your name. Getting stakeholders like the executive team on board is also critical – it makes them less likely to discuss specifics of internal systems in their public conversations (press quotes, panel discussions, etc.). One teaching tool which has proven effective is to develop a reconnaissance profile entirely from external sources to demonstrate the ease with which it can be done. Most organizations cannot legally restrict what employees post about their jobs (the government being a notable exception), but helping employees understand which of their behaviors entail risks to the company still may make them think twice before they post.
• #7: This image is courtesy of the NIST Special Publication 800-161. It is a useful reminder that although many organizations are waking up to the implications of an insecure supply chain, many of those suppliers have their suppliers who have their suppliers. At some point a supplier’s supplier’s supplier may very well be a single individual working out of a home office using a non-secured wi-fi router. What this means is that a very industrious cybercriminal may well succeed in developing a map which leads them to the ultimate prize: compromising the secure facility. Unfortunately we live in an incredibly connected world now, so even when suppliers along the way are relatively diligent, all it takes is one infected device which gains access the right network and a criminal potentially has access. All of this also brings up the challenge of leverage: how much power do we have to get suppliers to comply to our security requests or demands? This is a question which operates at every other level in the chain as well. Even if our suppliers follow good standards, do they have the ability to demand that their suppliers will do the same? The closer we look, the more complex the supply chain threat gets.
• #8: We covered specific attacks in some detail in the previous Kaspersky-OPSWAT webinar, Top Five Cyber Security Challenges for the Energy Industry in 2015. Here we are just touching on the tactics which are increasingly used to gain entry through the supply chain. HAVEX was malware which was successfully injected into software updates which were commonly used by Industrial Control Systems. The infection point was the software company delivering the updates and they did not know they had been infected until alerted by anti-cybercrime companies. IceFog originally targeted Western companies but the entry points were Asian manufacturing suppliers. The next version of IceFog directly targeted US Oil and Gas in the US using a Java exploit (in fact Kaspersky notified at least three such oil and gas companies in the US directly that they were infected). So-called “watering hole attacks” are a type of supply chain focused attack where adversaries establish websites or information sources which many of their targets use, and then attempt to “poison” that “watering hole” by infecting it with malware. In such a fashion, everyone visiting the site has a chance of becoming infected. (The chance of infection is of course increased if the criminals already know exactly what vulnerable software is being used by visitors.)
• #9: Once we have decided to somehow foist stronger security practices upon our suppliers, we need to consider how likely it is that they can or will comply. Will they even accurately disclose their current practices? Will they disclose vulnerabilities across the board or only practices relating to the product we source from them? Would they submit to annual audits or any other form of checking? Most of these questions go to the matter of leverage – how much influence we can exert over a given supplier. If a supplier is small and we are their largest customer, we will have influence. But then the question is whether they have the resources to run a more secure facility. If they do, will prices increase? With larger organizations you may have less leverage but more confidence: a global supplier, for example, may already complies to relatively clear security standards. There’s no magic answer here: as with all of cybersecurity it’s only a matter of the best choice among all the tradeoffs which must be made: larger companies are more interesting targets for cybercriminals so they are attacked more vigorously and more often. Smaller companies are targeted less but also have fewer protections. We have more leverage with small companies but larger companies are more able to comply.
• #10: When communicating about cybercrime it’s presumptuous to assume we share the same vocabulary. In fact, a paper by Nadya Bartol of the Utilities Telecomm Council in 2014 tells us that the term “cybersecurity” only came into common usage in about 2009. She also took inventory of all the then-existing terms for “supply chain”. There were at least six which were (and still are) widely used. One of the reasons completely different vocabulary evolved is that vertical industry sectors have gone about solving cybersecurity differently and independently for years. What makes this so significant? For two reasons: first, it’s hard to do the research to determine what security guidelines best fit your organization if only looking for “supply chain” so try the other terms as well. Second, we need to be aware of the fact that each supplier we talk to may be part of a different sector which uses different terminology to explain, track and solve supply chain problems. We should endeavor to be understood: to ensure that we share terms and have a common vocabulary with regard to compliance.
• #11: So don’t forget to ask your supply chain partners what their preferred terminology is. Also, when seeking out internet resources - there are many excellent public repositories with helpful guidance like NIST – but it’s useful to know the terms they favor. Personally I love the term “EDM”, coined by the US government (Department of Energy and the Department of Homeland Security in their co-published document) because it includes every potential vulnerability including bi-directional relationships like those with customers. Any external relationship which can be used as a lever to penetrate the organization should be considered when attempting to “harden” the supply chain against threats. Whatever term you favor, the bi-directional nature of many supply relationships should be considered when assessing risk: they may be providing you with a product or service, but you may be granting them access to your systems, information about your activities, and other data which could be stolen and abused.
• #12: So again, securing the supply chain involves communicating across suppliers and across sectors. But even within sectors there can be variation regarding the common risk and cybersecurity nomenclature which will be used. For example, if you expect to be notified when suppliers experience “security incidents” which might affect the product you receive from them, you must define “incident” (by level of severity, type of incident, affected data or services, etc.) before determining reporting requirements (which may vary depending on the type or severity of the incident). It also helps to be clear when communicating your objective: perhaps you believe a supplier can help you by reporting an attack. For example, if there is an incident where Supplier A is attacked and you have reason to believe you are the ultimate target, you might wish to warn others in your supply chain. But in order to know about the attack, you’ll have to get suppliers to agree to share information which may expose them to liability. Such trust takes time to develop, and usually involves a mutual sharing of threat data and breach experience. With regard to these and other security needs, the key is to be sure that the entities on both sides – the one requesting compliance and the one acquiescing – are applying terminology the same way. Ideally there will be public domain documents which can be referred to as the source of agreed-upon definitions.
• #13: The US government is very concerned about the security of Critical Infrastructure, otherwise known as CI. Although there are 16 CI sectors, only a handful are currently subject to regulation. Within the Energy sector, only electric utilities and nuclear are currently regulated (as of July 2015). Regulations carry penalties with them of course; “guidance” is offered in the hopes organizations will see the value and comply voluntarily. However, what is considered guidance today often turns into policy tomorrow and then regulation after that. The US Nuclear Regulatory Committee pushes regulation and guidance through their policy organization, Nuclear Energy Institute (NEI). The Federal Energy Regulatory Commission (FERC) uses NERC (the North American Electric Reliability Corporation). We will discuss NEI rules in a moment. FERC rules became effective in 2014 with mandatory compliance of some regulations by 2016 and others by 2017.
• #14: This slide is self-explanatory except to say that it’s often worthwhile to check the exact wording which is considered the source statute for a regulation to see if it truly is specific enough to be enforceable.
• #15: This document is a useful tool in terms of helping the Electricity sector implement the NIST Cybersecurity Framework. This document uses the term EDM (External Dependencies Management) which stresses the importance of looking at the potential risk of all inbound and outbound relationships, regardless of whether we consider them to be “suppliers” or not.
• #16: The ES-C2M2 provides excellent guidance. Here is an example of the EDM component, which provides the basic steps of starting supply chain security management. It begins with listing suppliers and then ranking them in terms of priority and then again in terms of known vulnerabilities. Risk is not just related to how easily suppliers can be penetrated and infected but also what risk it represents if their product stops flowing due to a security breach. It’s also critical to identify any entities to whom products or services are delivered.
• #17: In order to accomplish true compliance – with full accountability – we must move beyond “good will” and “best faith efforts”, although good intentions are a good place to start. Ideally, the security responsibility of suppliers is specified by contract, to include at least this basic information. Not to forget it’s important to have clarity around what types of incidents must be shared and also to define whether that data (or an anonymized version of it) can then be shared with others (perhaps in the same supply chain) to help them guard against the same threats.
• #18: There are too many different security standards to count. This is one of the great challenges of the cybersecurity field: it has evolved extremely quickly (as fields of study go) so there are many different tools, rules, standards people use. Since security always involves a set of tradeoffs – usability versus security, efficiency versus security, etc. – there maybe be competing products which fit different industries better. Some of the appropriate questions to ask about products received by your organization (to query suppliers with) include: what security protocols were followed in the development process and what opportunities exist for any type of malware injection. Two industry wide issues called out in the ES-C2M2 are also the fact that first, most RFPs still don’t specify what type of security should be included or integrated into products or during product development, nor do they define ideal security QA practices. Second, in Energy, branch offices are often given too much leeway in terms of procurement – often engaging with smaller suppliers who are more likely to be vulnerable. In such a case, the branch itself becomes a target as a way to get into the main office. We have seen cybercriminals target smaller companies after being acquired because they know security is likely to be more lax in the smaller one, and once they get in they can move upstream to the larger corporation.
• #19: “CDAs” in NEI terminology are “critical digital assets”. In fact, the terminology used previously was “critical cyber assets” – a cool term, but they realized that they are just as concerned with data when it is at rest. These words are taken directly from NEI ‘s 9-09 document published in April of 2010. You can see that there is a lack of specificity in these rules. This highlights one of the biggest problems in cybersecurity: the more specifically a problem is solved or mandated to be solved – with technology or products – the more likely it will lag behind newer, better solutions. Also, any industry who dictates the use of specific technology is begging to be hacked. When a hacker knows that, say, all 2000 highly-valued sector organizations are using a certain hardware/software configuration, they already know what their ROI will be if they can find the vulnerabilities within that configuration.
• #20: This is a new concept: the idea of demanding that suppliers comply to a similar level of security as the receivers of their products do. It’s a great idea but challenging in practice. Once again the vagueness with regard to specifics means NEI is expecting attempts to be made in this area, and for processes to be put into place. They expect these conversations to occur and be on-going with suppliers, but they are not mandating a specific format. At least not yet. By the way, I’d like to acknowledge Barbara Weber for her help – she is a consultant to North American nuclear companies – she is extremely knowledgeable on the topic and provided me with information on this and the next slide.
• #21: This slide is self-explanatory – these are NEI expectations in more detail, courtesy of Barb. Of course if every level of the supply chain were to comply we would finally have in-depth, end-to-end supply chain security.
• #22: These are the basic steps required to secure a supply chain.
• #23: Because the improvement of cybersecurity is a never-ending process but we have limited resources, we have to make choices about how far to take it. For many categories of products there are mature processes which govern security measures. Obviously there need to be limits on these so that they don’t incur unreasonable cost. It’s worth asking though whether it makes better sense from a risk perspective to select a supplier who is already security-compliant than to coax existing suppliers into better practices. Also, if strong cybersecurity is your goal, you should be ahead of compliance requirements since regulations always lag behind what is known to be good security practice.
• #24: Very often executive stakeholders will say to the IT team after an industry breach becomes known, “make sure this doesn’t happen to us!”. But such a request is practically meaningless without understanding how much budget will be allocated to ensure that result. Perfect security is not impossible – it’s as easy as building a castle with a moat and letting no one in or out - it’s just unworkable for a thriving, competitive organization. Where executives or company stakeholders agree on priorities, it’s useful to understand what they really want: something which is quick to implementation? The best solution? Or minimum compliance? Whatever the answer, the same level of diligence should be applied to suppliers. A cursory survey of supply chain threats which face your organization may help management prioritize cybersecurity risk assessments for them. What we know for certain is that money is unlikely to be applied to threats people are unaware of.
• #25: Self-explanatory.
• #26: In this graphic, the size of the bubbles are the number of first place finishes among independent organizations who tested anti-malware in 2014. You can see that the Kaspersky bubble is the biggest. We’re quite proud of this result, because if you understand the tests, one will be looking at thoroughness – which sometimes mean a heavy product which slows a system down – and another will look at speed, which often means a smaller footprint. Kaspersky did the best job of balancing all requirements to beat out every other anti-malware company in the world.