Supply Chain Security in the Shadow of Centreon and Solarigate
In light of the recent Solarigate and Centreon cyber-attacks, you may be wondering how to protect yourself from such attacks.
This article will outline the Solarigate and Centreon cyber-attacks, and then show you how to prevent such attacks.
What is Solarigate?
During the December of 2020, a cybersecurity firm called FireEye revealed that it had been hacked. The company has security testing teams who use powerful tools in their work, and it was found that those responsible for the hacking had copied those tools. The spyware used to disrupt FireEye had been implanted by Orion, an IT management and security platform that was a product (and a very successful one) of SolarWinds, an IT software firm based in Austin.
FireEye then told the world about their compromise, which prompted a greater search that made it clear that the problem existed on a terrifying scale. The Orion software in question had made its way into thousands of SolarWinds’ customers systems, but even worse, it was also disrupting systems at the State Department, the U.S. Treasury, Justice and Commerce departments, and even the Department of Homeland Security. The data breach also affected organizations across the globe such as NATO, Microsoft, the U.K. government, and the European parliament. The hacking campaign has since been referred to as ‘the SolarWinds event’, “Solarigate’, or “SUNBURST”.
Who was behind it?
The clearly calculated and incredibly patient nature of the attack began over a year prior, and as such suggested that there may have been a nation-state responsible, with many U.S. intelligences blaming Russia. Russia has since denied any responsibility for the campaign. Experts on cybersecurity have said that unfortunately, the quest to identify all of the compromised systems and rid them of their hackers could take months.
Similarly, Russian military hackers, a.k.a. Sandworm, who have been responsible for a number of hacks in the past and who are not known for discretion, have been linked to another group of hackers by a French security agency, ANSSI. Hackers with techniques and tools that the agency has linked to Sandworm have been hacking targets slyly by using an IT monitoring tool known as Centreon. They seem to have been doing so for up to three years.
On the 15th of February 2021, ANSSI declared that the victims were mostly IT firms and web-hosting companies. They say that they have also observed an overlap in command and control servers between Centreon hacks and prior Sandworm hacks.
However, a Centreon spokesperson has said that no Centreon customers have been affected in this campaign. The victims were actually using a version of Centreon’s software that was open source, which the company hadn’t supported for more then fire years. This software was launched insecurely and allowed connections that came from outside the organization’s network. Centreon encouraged all its customers to update their software and to contact Centreon or their certified partners.
Supply Chain Cybersecurity
Many cyber-attacks now begin in the supply chain itself which means that cybersecurity can’t be seen as an IT-only problem. The risks connected to a cyber supply chain affect the sourcing process, management of vendors, supply chain continuity and quality, the security of transportation, and more. Protecting an enterprise needs an effort that’s simultaneous, coordinated, and cooperative.
Knowing where cyber supply chain risks can come from can mean a step ahead of hackers. These risks can come from:
· Lower-tier suppliers practicing poor information security
· Third-party service providers/vendors (e.g. software engineering) that can access information systems, IP, or software code virtually or physically.
· Hardware or software that’s been purchased from suppliers which could be compromised.
· Software security vulnerabilities in supplier systems or supply chain management
· Third-party storage/data aggregators
· Counterfeit hardware, or perhaps hardware with malware embedded in it.
Care should be especially with third-party vendors and suppliers, as they pose operational, repetitional, compliance, financial, and strategic risks. If you’re dealing with a third-party in any way, a third-party risk assessment would be a great idea to weigh their potential risks and identify their areas for improvement and vulnerabilities.
After realizing this, there are a few important principles that cyber supply chain security should be built on:
1. Defenses should be based on the assumption that a breach will happen. This ensures that you will take the necessary actions to mitigate the ability of an attacker to use and abuse information that they’ve managed to access, and beyond this, how to recover from the attack.
2. Cybersecurity is not only a technology problem, but a people, knowledge and processes problem. Breaches can often be human error rather than a failure of technology. IT security systems cannot secure sensitive information and property without employees across the supply chain using the right cybersecurity practices.
3. Cybersecurity should be treated just like physical security. Attackers look for weak points to hit no matter the type of target. This is why cybersecurity should be looked after the same way real-life security is.
How to protect yourself from cyber-attacks
Some practices to help you manage your cyber supply chain risks include:
· Having security requirements in every RFP and contract
· Ensuring that a security team works with vendors accepted into the formal supply chain to tackle vulnerabilities and security gaps
· Not dealing with or very carefully dealing with vendors who sell counterfeit products or products that don’t meet specifications
· Closely controlling, monitoring and examining component purchases
· Secure software lifecycle development programs are established, as well as training for all engineers in the life cycle
· Obtaining the source code for all bought software
· Having software and hardware working together for security (e.g. secure booting processes asking for authentication codes)
· Automating testing and manufacturing regimes to lower the risk of human intervention
· Using track and trace programs that establish the origin of all systems, their components and parts
· Ensuring that programs capture “as built” component identity data for each assembly, then links the component identity data to sourcing information automatically
· Partnering those in charge of the supply chain cybersecurity with teams that interact with any part of the product during its lifecycle of development to ensure that cybersecurity is a part or everything
· Providing legacy support for end-of-life products and platforms and assuring that there will be a supply of authorized IP and parts that is continuous.
· Imposing tight controls on service vendors’ access. Access to software should be limited to a very few vendors. Hardware vendors should be limited to mechanical systems with no access to control systems, and vendors should always be authorized and escorted.
Cybersecurity must be an extensive, vigilant, and ongoing action. It isn’t and can’t be treated as a one-time thing.