Published by The Lawfare Institute
in Cooperation With
Much of the initial discourse around the SolarWinds cyberattack focused on its impact on the affected information technology (IT) systems. However, this overlooks an equally destructive yet unexamined operational technology (OT) portion of the attack, and much of the OT impact may not be seen for months or longer.
As Microsoft’s CEO pointed out, what’s been seen so far is only the “first phase” of the attack that targeted IT systems in the government and companies large and small. While disconnecting the SolarWinds Orion system from one’s IT system may mitigate some of the damage, it neglects the possibility that potentially destructive malware could easily have been planted on OT systems as well. And the impact of OT breaches can be more significant than mere IT penetration; OT consists of systems that affect the physical world.
SolarWinds Orion is a popular network management system with a base of up to 18,000 customers and an indefinite number of sites. Users include not only governments and end users but also equipment suppliers, which could significantly expand the scope of the attack. This large base of users, many of whom have mission-critical sites, made it an ideal target for a cyberattack by Russian operatives.
SolarWinds is used to manage complex enterprise networks using the Simple Network Management Protocol (SNMP). SNMP has been adopted by virtually all vendors of IT servers, IT networks and OT Ethernet switches. SNMP is also embedded into OT systems such as uninterruptible power supplies (UPSs), power distribution units, switchgear, computer room air handler units and other control system devices. The actors could then utilize these compromised control system devices to create real-world harm, as demonstrated infamously by the Idaho National Laboratory in 2007.
As a nation-state attack, time and money were no object; the targets were the issue. Consequently, the Russian government strategically chose a critical supply chain partner to thousands of companies. The Russian government, by leveraging its nation-state capabilities, was able to compromise the software update process of SolarWinds, which was previously thought to be very difficult to penetrate. SolarWinds’s cyber protections included two-factor authentication, digital key certificates and signed firmware upgrades. The compromise of these “unbreakable” systems enabled this Russian group to have undetected, unfettered access to key IT and OT devices throughout mission-critical networks. By attacking the SolarWinds platform, the Russians were able to get a “two-fer,” that is, persistent access and data exfiltration from the IT networks and access to control system devices and control system OT networks.
Researchers have long warned about the dangers posed by OT attacks. In 2012, a Georgia Institute of Technology study showed the type of damage that someone could create by either taking over or spoofing a network management system like SolarWinds. The results of SNMP system attacks include a wide range of IT and OT damage scenarios. The chart below illustrates some of the OT devices that, if breached, could cause real-world harm:
Russian hackers have become extremely adept at control system cyberattacks and have been caught a number of times:
- In 2014, a Russian hacking group known as the Sandworm Team delivered the BlackEnergy2 malware as part of its espionage work on various industrial control system networks. Russian hackers subsequently modified this malware, some of which is still found in the U.S. electric grid, to create BlackEnergy3, which was used in the 2015 Ukrainian power grid attacks.
- In 2015, Russian hackers used SNMP communications in their cyberattack of a major Ukrainian power grid control center. The hackers successfully planted code in the UPS that enabled them to shut down the control center at precisely the moment when they also started a denial of service (DoS) attack on the telecommunications switch (as outlined by the Georgia Tech paper). The attackers then cut power by opening the breakers that delivered power to the Ukrainian power grid. The result was a power outage during the winter that left hundreds of thousands stranded without power.
- In 2017, Russian hackers allegedly deployed the Triton malware as part of their attack and disruption of a petrochemical plant in Saudi Arabia. The malware targeted the plant’s safety control systems in order to disable the mechanisms that prevented the system from becoming fully unstable and explosive. Fortunately, two emergency shutdown systems overcame the intrusion and took part of the complex offline before it exploded.
The SolarWinds attack and others that are similar to it make it clear that a gap exists in understanding the risks that compromised SNMP devices can create, something explored in greater depth in this blog.
Government and industry standards already mandate security safeguards for IT as well as OT systems. Now is the time to revisit these standards to ensure the appropriate security measures are being employed for all IT and OT systems.
OT devices have largely been overlooked or simply ignored when it comes to network security, but a closer examination of SNMP reveals this approach is unsustainable. Few observers realize that the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the EU’s General Data Protection Regulation, and almost every major security standard imposes three common requirements for security compliance: confidentiality, integrity and availability.
Confidentiality refers to encryption at a grade that is unlikely to be broken with present hacking tools. SNMP immediately fails this test, as its security key can easily be compromised. Yet it remains the standard for all IT and OT system management.
Integrity relates to the assurance that messages received from the management console or a device are reliable and correct. The aforementioned Georgia Tech study demonstrated that SNMP messages can be changed and their origin spoofed in order to fool a user into believing the messages are accurate and authenticated.
Lastly, availability relates to the continued uptime of a critical system. This essential prong for all cybersecurity standards, especially OT, cannot be overlooked. Russia’s successful use of malware targeting Ukraine’s UPS again proved that OT system availability is all too easy to interrupt. Not only were the attackers able to shut down the power system, but they had a fail-safe if an attempt was made to circumvent power around the affected grids.
The SolarWinds attack demonstrates that relying on 20th century tools using protocols such as SNMP makes actors in both the public and private sectors vulnerable to 21st century attacks. No protocol is going to instantly appear to supplant SNMP. As a result, it is incumbent on every owner of IT and OT systems to employ several layers of security within SNMP systems to provide additional protection. In the meantime, government and industry must work together to develop a next-generation IT and OT management protocol that provides confidentiality, integrity and availability (and safety for control system devices) to meet modern security challenges. Finally, the SolarWinds attack demonstrates that cyberattacks against IT infrastructure, whether intentionally targeting control systems or not, can also affect those control systems.