Last year’s SolarWinds hack draws attention to a major cybersecurity issue.
SolarWinds is a software development company. One of its products, Orion, is a monitoring and management platform designed to simplify IT administration. The product is very popular and is used by the U.S. government and large organizations like Microsoft.
In early 2020, SolarWinds issued two Orion software updates that were corrupted by malware. This was not discovered until cybersecurity firm FireEye realized it had been hacked and that red team penetration testing tools had been taken. Its breach investigation traced the hack back to the SolarWinds patches.
Various U.S. government agencies subsequently discovered that they too had suffered breaches, including the Departments of Commerce, the Treasury, Homeland Security, and State, and the National Institutes of Health. Close to 200 organizations also installed the infected update, including Cisco Systems, Intel, Nvidia, Deloitte, VMware, and Belkin, although it is unclear how badly they were affected. Microsoft disclosed that the criminal hackers, thought to be Russian, viewed some of its source code, but were unable to modify the code or get into Microsoft’s products and services.
The Digital Supply Chain
SolarWinds was the subject of a very sophisticated nation-state attack, also known as an advanced persistent threat. Most organizations will not be targeted by such attacks, but the incident does highlight a very important problem: the digital supply chain.
The value of information can only be realized if it is shared. Organizations share data along their digital supply chains, which are every bit as important as physical supply chains, and perhaps more difficult to protect. While larger companies with more resources may have built strong cybersecurity defenses, their smaller and less wealthy vendors may not. The result has been some of the most spectacular hacks in the past few years. In 2013, an attack on Target resulted in data from up to 40 million payment cards being stolen, and cost the company more than $200 million. The attackers initially breached Target’s HVAC provider, taking advantage of security weaknesses to gain a foothold in Target’s network.
Health care company Anthem was hacked through its bill collector in 2015, losing the personal information of 78.8 million people. The company agreed to a $115 million settlement, as well as incurring millions in additional costs. In 2018, hotel chain Marriott was breached through an acquisition, Starwood, after its reservation system was compromised, exposing millions of people’s personal data. The breach has cost Marriott millions, including an £18.4 million (about $25 million) fine from the UK’s Information Commissioner’s Office for violating the EU GDPR (General Data Protection Regulation). More GDPR fines are sure to follow.
The Best Defense
But how do you defend against supply chain breaches? The best way is to prepare for them. Annex A of the information security standard ISO 27001 includes a control set for supply chain management. Annex A.15 contains five controls that aim to ensure the protection of an organization’s valuable assets that are accessible to suppliers and that both parties maintain the agreed level of information security and service delivery. In addition, ISO 27036 offers guidance on the implementation of information security systems to secure complex ICT supply chains.
Following the ISO frameworks and guidance may not totally insulate your organization from the risks associated with your digital supply chain. However, if you know what those risks are, you can take steps to prepare for an attack and minimize the damage.
Attacks like SolarWinds have wide-ranging consequences. Nothing gets legislators and regulators motivated like a well-publicized attack. In the U.S. and all over the world, governments are trying to solve this problem. Organizations should be ready for a lot more attacks to come.