GridSecCon Panelists Share Cyber Supply Chain Fears

Attackers Growing in Boldness, Sophistication

Clockwise from top left: Brian Barrios, Southern California Edison; Tim Brown, SolarWinds; Andy Serwin, DLA Piper; Allan Liska, Recorded Future; Zach Tudor, Idaho National Laboratory | NERC

Oct 20, 2021

Panelists at NERC's GridSecCon 2021 security conference discussed the rapidly growing threat from sophisticated cyberattackers targeting critical software.

Panelists at NERC’s 2021 GridSecCon on Tuesday warned that adversaries are mounting more and more sophisticated cyberattacks against the U.S. electric grid, a trend that will only continue.

This year’s conference, organized by NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) and hosted by the ERO and the Texas Reliability Entity, was held online, after last year’s event was canceled because of the COVID-19 pandemic.

In the “Year of Supply Chain Lessons” panel, attendees discussed the recent trend of malicious actors inserting themselves into the update channels for major software utilities such as SolarWinds’ Orion network management platform and Kaseya’s Virtual System Administrator remote monitoring and management program. In this way the attackers were able to infiltrate the computer systems of thousands of organizations; in the case of SolarWinds, the victims included FERC and the Department of Energy. (See FERC Pushes Cyber Incentives.)

“The proof is that they worked — the event against Kaseya, the event against us,” said Tim Brown, chief information security officer at SolarWinds. “Basically, the very thoughtful actor says, ‘How can I get into environments without … necessarily touching those environments directly?’”

Targeting the distribution points for major software represents a major leap forward from previous supply chain attacks, which focused on physically inserting spying equipment into hardware components, said Allan Liska, senior security architect at cybersecurity company Recorded Future. Hardware supply chain attacks are relatively labor-intensive and easy to mitigate, as they require the accurate insertion of devices that the victim can remove when detected; but identifying which lines of code are malicious out of millions in a typical software package can be incredibly difficult.

Compounding the risk is the limited number of suppliers of these critical software components: One problem faced by many victims of the SolarWinds hack was the difficulty finding another piece of software with the same functionality, meaning companies had to keep using the tool after it was known to be compromised.

“The reality of our industry [is that] our crown jewels, our [industrial control system] environments, our [operational technology] environments, probably come from one of a very few companies,” said Brian Barrios, vice president of cybersecurity and information technology compliance at Southern California Edison (SCE) (NYSE:EIX). “I know most of the companies that are attending this conference probably have thousands of vendors … but when you think about our crown jewels, it could be a very limited number of companies.”

Government, Industry Must Work in Tandem

Barrios asked the other panelists if a government-supplied software blacklist or whitelist — meaning a list of suppliers that cannot be used, or a list specifying the only suppliers that can be used, respectively — would help to secure their systems. The subject has come up repeatedly at other security conferences, such as FERC’s recent reliability technical conference, typically without enthusiastic response. (See Cybersecurity, Climate Change Lead FERC Conference.) The same was true on Tuesday, with participants suggesting such lists create more problems than they solve.

“We’ve seen several of our well known and respected suppliers be placed on a blacklist, because maybe they had a small engineering presence in a threat actor country,” said Zach Tudor, associate director for national and homeland security at Idaho National Laboratory. “How do people get off the lists? How do we not inadvertently select people, but also second-tier suppliers? There’s a lot of complexity in there. … It may well be that components are whitelisted, [but] without adequate supply chain security, you may not know some of those things.”

Tudor noted that in response to the recent cybersecurity incidents, the partnership between private industry and the government is “really starting to gain momentum,” through forums like the E-ISAC and government organizations as the Cybersecurity and Infrastructure Security Agency (CISA), which has “done a great job … earning that trust over time.”

This collaboration will only grow in importance, suggested Andrew Serwin, U.S. chair and global co-chair of the data protection, privacy and security practice at DLA Piper. As the sophistication of threat actors continues to grow, so too will the understanding that utilities should not be expected to brave a hazardous cyber landscape alone.

“No one would expect SCE to have a physical army that could repel the Chinese army if they invaded Los Angeles,” Serwin said. “But somehow, we expect SCE to be able to do that in cyber[space]. … I’m not sure it’s fair to stick a private company with a liability that’s extremely high when you are dealing with a foreign adversary. … You can have the best program in the world, and they’re probably going to get in no matter what.”

E-ISAC NERC & Committees Texas RE