Large-scale replacement of computer systems “may be the only option” for some users of SolarWinds, FERC’s Joseph McClelland told NARUC attendees.
Large-scale replacement of computer systems “may be the only option” for some users of the compromised SolarWinds Orion network management software to ensure there are “no footholds left for an adversary to drill into the network,” according to Joseph McClelland, director of FERC’s Office of Energy Infrastructure Security.
“I’d say that absolutely is a possibility. We really don’t know the full extent,” McClelland said in a panel at the National Association of Regulatory Utility Commissioners’ Winter Policy Summit last week. “The number is growing, [and] we really don’t know how many other systems our adversary was able to burrow into.”
Orion’s Massive Reach Aided Hack
About 18,000 public- and private-sector organizations are confirmed to have been impacted by the SolarWinds compromise, according to a joint statement issued last month by the FBI, the National Security Agency, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Security (ODNI). The Department of Energy and FERC were among the entities affected. (See FERC Pushes Cybersecurity Incentives.)
However, as McClelland implied, those numbers may not reflect the full extent of exposure. While the breach was first reported by U.S. cybersecurity firm FireEye in December 2020, the attackers — “likely Russian in origin,” according to the agencies’ statement — are known to have inserted a backdoor into updates for the Orion platform published as early as March 2020, if not before. As a result the hackers had an open window into victims’ information technology networks for nearly nine months before any effort was made to stop them.
Compounding the issue is the market dominance of Orion, which is used by “almost everyone” with a large corporate network and “has to know everything about the network to work,” according to McClelland. The insertion of the breach into official updates for the software allowed it to disseminate quickly among SolarWinds’ huge global customer network.
Finally, although SolarWinds has developed a patch for the software that removes the malicious code, the hackers’ long period of unobstructed access allowed them an intimate look at both the application itself and its update process. As a result, simply applying the patch is only the first step in safeguarding the system, and the extent of required actions may not be known for some time.
“It is likely that the adversary is in a strong position to identify any potential (and as yet unknown) vulnerabilities in the SolarWinds Orion code that are unrelated to the inserted malicious code and may therefore survive its removal,” CISA warned in its emergency directive on the breach.
Federal Breach Response Draws Praise
The extent of the breach highlights the importance of cooperation between private industry and government cybersecurity experts, McClelland said — echoing assessments from other observers since the discovery of the hack. (See Panel: Industry Dialogue Key to Cyber Resilience.)
In particular, he emphasized the quick response of CISA and other federal agencies in setting up its alert for the breach within four days of the FireEye report, noting that “DHS did outstanding work on this.” The alert allows the agency to provide detailed information on every aspect of the attack, including methods for detecting compromised code; newly discovered attack vectors, including Microsoft 365 and Azure applications; and possible mitigation measures, from software patches to complete rebuilds of affected networks.
McClelland also praised the quick work of the National Security Council in setting up a unified coordination group (UCG) by Dec. 15, two days after the breach was discovered. The UCG is composed of the FBI, CISA and ODNI with participation by the NSA, and is tasked with coordinating all relevant federal agencies to investigate and remediate the attack.
“If it’s something as big as SolarWinds, we’re all involved. We’re all meeting at least weekly, and we’re meeting at the highest levels to exchange classified information and to understand exactly where we are and how to better deploy it,” McClelland said.
This massive joint effort is aided by the supportive relationship between both management and ground-level staff at the various groups working to secure critical computer networks.
“I’ve known Bob for years; I consider him a friend and colleague,” McClelland said, referring to Robert Kolasky, assistant director at CISA’s National Risk Management Center, who also took part in the panel. “I can pick up the phone and call him any time; he calls me at any time; [and] our subject matter experts work together. … I’d say the same thing about the states too — [we have a] great relationship with the states, with [NARUC]. And I feel like I can pick up the phone at any time and call any of the members.”
