How damaging are SolarWinds cyber-attacks?
Nearly a quarter of US electric utilities recently, errantly downloaded the SolarWinds backdoor. Scary stuff. For more insight we connected with Marty Edwards, vice president of OT at Tenable and formerly the US-CERT director under President Obama. Take a look…
Smart Industry: What was your role with the Obama administration?
Marty: My industrial-cybersecurity experience with the US Government started in 2006 under the Bush administration at the Department of Energy (DOE) Idaho National Laboratory (INL). In 2011, I was hired as a non-political federal civil servant at the Department of Homeland Security (DHS) as the Director of the DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT). When I left DHS in 2017, I was the longest-serving director of the ICS-CERT, which is now part of CISA.
Smart Industry: Summarize the SolarWinds backdoor case. Who was affected? What is the fallout?
Marty: According to reports, nation-state threat actors breached the supply chain of SolarWinds, a popular IT-management software provider, in order to infiltrate government agencies and private companies. In February, the White House confirmed nine federal agencies and roughly 100 companies were compromised in the sophisticated supply chain attack. The fallout has been damaging and swift. But the attack has brought attention to a huge security threat that continues to put private and public sectors at risk.
Smart Industry: What is your take on Biden's 100-day sprint to shore up the US power grid against threats?
Marty: It’s encouraging to see cybersecurity play an important role in President Biden’s policy initiatives. The vast majority of our critical national infrastructure has not seen the level of investment in proactive cybersecurity measures that are required to counter these types of threats.
Smart Industry: What is optimistic during this period of greater threats but smarter approaches to industry/utilities?
Marty: We’re continuing to see more organizations approach cybersecurity as a critical business function, rather than an afterthought. Cybersecurity is now a board-level discussion and business leaders are requiring their facilities to do better. While the threats certainly continue to increase, so too is the maturity of many industrial-cybersecurity programs.
Smart Industry: Why is industrial OT particularly threatened by these bad actors? What about the IT side?
Marty: Organizations must understand that securing OT systems also requires securing the IT side of the house. Most industrial environments are no longer air-gapped, which means they’re exposed to the outside world. This creates an expanded attack surface and provides cybercriminals with an opportunity to move laterally from IT to OT, or vice versa. Visibility and control over converged environments are foundational to any security program. Many industrial OT environments are made up of decades-old legacy devices that have not or cannot be patched in ways we take for granted in enterprise environments; therefore we must make these systems more resilient to cyber-attacks.
Smart Industry: Does new connectivity in this digital-transformation era create new vulnerabilities for manufacturers? What about utilities? Domestic infrastructure?
Marty: Now that IT infrastructure, such as servers, routers, PCs and switches are connected through IIoT to OT infrastructure, the attack surface has expanded. An attacker can now enter from IT and traverse to OT, often wreaking havoc in industrial environments including expensive and dangerous impacts to critical infrastructure. Once an attacker is inside an OT environment, exploitation is trivial because OT device commands are unauthenticated. Even though industrial controllers are built for rugged environments, they often don’t provide built-in security. The results can be disastrous if an attacker gains control of an industrial controller, from creating dangerous pressure levels in oil or gas lines to power outages or damaged products from a production line.