Direct and supply chain compromises need continued collective vigilance on the part of electricity sector players, the SolarWinds attack has highlighted.
In a new joint white paper prepared in the wake of the December 2020 attack, the Federal Energy Regulatory Commission (FERC) staff and the North American Electric Reliability Corporation (NERC) recommend wide-ranging actions in response to this and what is ultimately the ongoing challenge of cybersecurity.
SolarWinds is a Texas-based provider of IT management software widely used in the public and private sectors, particularly in the US. The attack was reported on a deployment of the SolarWinds Orion network management tool.
The attacker, believed to be a Russian threat actor, was then able to gain access to the SolarWinds production environment, as well as the victim’s Microsoft 365 and Azure cloud environments.
While the full extent of the compromise is not known (or has not been publicised), the concern is heightened in that because of SolarWinds’ wide use and the adversarial tactics used, even entities that did not install SolarWinds on their networks could still be impacted.
In addition, although SolarWinds may not have been used by entities, their key suppliers may use the product. Should the suppliers be compromised, they in turn could compromise their customers, including those without SolarWinds. In fact, there is evidence technology firms were targeted for this reason, according to the white paper.
In response SolarWinds issued a new version of its software but there is concern that even this may carry some risk with the possibility of identification of vulnerabilities by the attacker. Thus electricity industry stakeholders are recommended to “fully consider the available diagnostics and mitigation measures”, in addition to the recommendations of the cybersecurity agency alerts.
In addition to the SolarWinds specific recommendations, some of these more generally include revalidating the implementation of least privilege principle for host and network permissions and considering a systemic risk-based approach for protecting the most critical of the critical assets.
Implementation of the National Institute of Standards and Technology Cybersecurity Framework and baseline critical access and administrative privileges also is recommended.
Utilities should consider participating in a ‘cyber mutual assistance programme’ with peer utilities, to ensure a collective response during a cyber event, and exercising cyber and physical security response plans with third-party vendors, partners and government. Cyber plans also should be updated to include lessons learned from these supply chain attacks.
As geopolitical competitors increasingly demonstrate intent to leverage cyber capabilities, including civilian critical infrastructure, to advance their interests, so too must vigilance against direct and indirect attacks against the electricity industry, the white paper advises.
At the time of writing, a recent ransomware attack on IT provider Kaseya’s VSA platform is being closely monitored for impact on service providers and their customers.
“The December 2020 supply chain compromise using SolarWinds and adjacent technologies like Microsoft 365 and Azure cloud environments provide an important reminder to industry on the need for persistent and proactive collective defence,” stated the whitepaper.