Part 1 in our Cyber Security for Utilities blog series.
The Kaseya VSA supply chain ransomware attack rocked cyber security peace of mind globally in July. More than 1,500 businesses were impacted by the attack on the enterprise tech firm’s remote device management software. we understand the anxiety among cyber security professionals trying to ensure they are aware of any supply chain compromises.
It’s tough work. The Kaseya incident is not the first such supply chain attack. It’s not even the first in the past year. In the SolarWinds cyberattack, hackers believed to be directed by the Russian intelligence service, used a routine update to slip malicious code into a software as many as 18,000 customers downloaded.
While companies are still reeling from Kaseya and SolarWinds this year, unfortunately, this type of attack is not new to energy companies.
One of the earliest in our industry happened in 2014 when software installers at least three ICS vendor web sites were infected with malware known as the Havex Trojan (ICS-CERT bulletins 14-176-02A & 14-178-01).
The U.S. government is on the alert. In May 2020, a now-revoked executive order called for companies to identify, isolate, monitor, or replace power grid equipment designed, developed, manufactured, or supplied by foreign adversaries. The Biden administration has continued to make securing the bulk power system a priority. On the heels of the Kaseya news, the president called for U.S. intelligence agencies to investigate the attack while the Cybersecurity & Infrastructure Security Agency (CISA) and FBI “strongly urge” those potentially affected to:
Even without regulatory pressures, businesses were already concerned about how vendors protect their partners’ data. To fully leverage digital transformation, a business often provides its vendors’ with access to its data and network for the vendor to run regression tests, installation, perform support, etc.. It’s a risk, but critical infrastructure operators can minimize their cyber security risk by working with a trusted vendor.
Utilities actively prepare for outages, whether prompted by asset failure or a severe weather event.
To manage cyber security risks, such as the Kaseya attack, the utility needs to proactively investigate its supply chain with a security risk assessment.
No business is immune. CISA notes, “a supply chain is only as strong as its weakest link.” What can be done? These six strategies can help.
#1 Identify all external software and service vendors connected to the IT infrastructure.
Keep in mind that the more of these you have, the greater your risk of exposure.
#2 Perform due diligence.
Of course, you like to be in business with companies that you can trust. But your trust doesn’t mean that the software vendor or supplier is taking adequate precautions to protect themselves (and you) from hackers. The National Institute of Standards and Technology suggests the following questions to start:
#3 Implement a third party hardware and software inventory on IT and OT networks.
Be able to quickly assess if any of your assets are impacted following news of a supply chain attack. Then, regularly review that inventory. It is no use to rely blindly on an outdated inventory only to find out when it’s needed that it no longer reflects reality.
#4 Ensure segmentation, even as it relates to vendor connections.
Network segmentation can limit potential damage by creating multiple, protected segments or subnets. This can be challenging when critical operational processes are interdependent. Nevertheless, taking steps to segment and reduce co-dependencies can enhance cyber security.
#5 Practice good cyber hygiene as it relates to vendor accounts and connections.
This includes limiting access through account use policies, user account control, and privileged account management as well as other strategies such as multi-factor authentication and encryption.
#6 Develop a response plan.
Being prepared for systems impact can help you to react more effectively. With advance planning if and/or when a component you rely on from a third party is impacted, you can bounce back quicker too.
With the Kaseya hackers asking $70 million in ransom, this supply chain attack is big news. Or it will be until, regrettably, the next such attack. Industry-wide events like this one remind us of the importance of working with a vendor who will be proactive. They need to be aware of what’s happening, whether they were affected (and, by association, you were impacted), and help you in reacting to the attack if you were.
Our ISO 9001- and 27001-certified Digital Grid business unit answers the supply chain challenge with information security, privacy, and governance controls for the protection of GE confidential and customer information. GE Digital also leverages an extensive, enterprise-wide cyber security intelligence department to remain abreast of the latest threats. In case of the worst, GE Product security bulletins keep customer up-to-date on potential impacts. We also make supply chain information available in our information security and product compliance corner of the customer portal.
Accessing customer systems securely and remotely and managing customer information and data securely and responsibly are only part of answer to supply chain attack risk. With GE Digital, customers know they have a partner who provides in-depth security for applications, endpoints, network and business processes. Protect your industrial environment by putting your industrial data to work with GE Digital.
Read the next blog in the series: The Delicate Balancing Act in Meeting Cyber Security Challenges
GE has been working in telecom environments for over 25 years and with utilities for more than 70 years. We understand these critical industries, understand where they’re vulnerable, and can identify how they can be secured.
Benefit from real-time cyber security solutions custom built for your environment.