When hackers gain control of ICS firmware, they win. That is why securing the software supply chain is everybody’s business.

In today’s global economy the supply chain is an easy concept to grasp.

For example, we understand the components built into a laptop are manufactured all around the world. Not just the obvious ones like metal enclosures and keyboard caps, but all the components.

The threat of tampering with hardware components somewhere along the manufacturing process is not unheard of. But it is not the keyboard caps that hackers care about. It is the firmware that controls devices like webcams, trackpads, hard drives, and network interface cards that cybercriminals seek.

We all know that firmware is a software program that has been ‘etched’ onto the hardware. It is what makes the device function. Unfortunately, ‘etched’ is not as permanent as it used to be.

Firmware is now stored on flash ROMs that can be erased, corrupted by malware, and rewritten. The beauty of firmware hacking is that it is difficult to detect and cumbersome to remove. And it is pretty much god power with invisibility included.

So, successful firmware hackers gain direct access to not just one device, but every device the manufacturer makes, sells and delivers to customers.

And if firmware is hackable, how much more vulnerable are all those fun free apps that make life interesting? More importantly, in the industrial control systems/operational technologies (ICS/OT) world, how carefully managed is the software supply chain of your PLC, your human-machine interface and your SCADA?

Not the hard but the soft supply chain

While the concept of a supply chain in the hardware world is an easy concept, the software supply chain is less obvious.

What we do not often think about is the fact that coders around the world make extensive use of shared libraries and modules. As a result, the concept of a supply chain also applies to software, which in the grand scheme of things is a relatively new concept. New, that is, until NOBELIUM, a Russia-based hacking group best known for the SolarWinds cyberattack of December 2020.

The group has in fact targeted over 150 organizations worldwide, including government agencies, think tanks, consultants, and non-governmental organizations across at least 25 countries.

And then there was the cyberattack that derailed the Colonial Pipeline for over a week, which brought software supply chain hacks to the forefront.

Gas shortages ensued for weeks as the pipeline shutdown all systems to contain the effects of a ransomware attack, and ultimately paid the US$4.4m ransom to regain control and access over their network and data.

Supply chain security and critical infrastructure

As a result of the ongoing attacks on critical infrastructure in the USA, President Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (‘NSM’) on July 28, 2021. Light on details, but more information was promised.

On August 25, the US National Institute of Standards and Technology (NIST) announced their leadership in creating a new framework to improve the security and integrity of the technology supply chain.

The focus of the NIST announcement is the technology supply chain as it applies to Critical Infrastructure. Devices that used to be driven by the physical, like pneumatics or electro-mechanical, have been transformed into improved, digital, internet connected, and now hackable devices. Securing the supply chain is of paramount importance.

It is important to note that hackers have also noticed the internet connectedness of factories and critical infrastructure. They have settled into their newfound power as gods of the ICS/OT world and they are unrelenting in their attempts to break into everything ICS/OT: but of particular interest is critical infrastructure. Because now they can not only extort money from their unwitting victims, they also have the power to poison communities, stop oil production, blow stuff up, make headline news, and destroy the economic health of entire countries. In addition to the millions of dollars they extort in the process.

Hacking the ICS/OT environment allows hackers the ability to create their own weapons of mass destruction, especially if the victim is one of 16 sectors of critical infrastructure.

Reducing technology supply chain risk

How do we secure the technology supply chain? The sweet spot to reducing risk in the near term, is a hardware, software and firmware bills of materials that let you know what is inside, so you can check to make sure.

With that, we can see if the manufacturer gave us exactly what we expected, and then check to see if that is what we have. We can decide based on what is in there; where to put it from an architecture perspective; how isolated it has to be; how to manage it; how to do incident response.

But because of the ongoing threat to the technology supply chain, nobody is excused.

Everybody needs to come together—manufacturers, critical infrastructure, and consumers—all have an active role to play in making our world a safer place.