PERSPECTIVE: SolarWindsThe SolarWinds Hack Can Directly Affect Control Systems

Much of the initial discussion around the SolarWinds cyberattack focused on its impact on the affected information technology (IT) systems. Joe Weiss and Bob Hunter write in Lawfare that this overlooks an equally destructive yet unexamined operational technology (OT) portion of the attack, and much of the OT impact may not be seen for months or longer. 

They write:

As Microsoft’s CEO pointed out, what’s been seen so far is only the “first phase” of the attack that targeted IT systems in the government and companies large and small. While disconnecting the SolarWinds Orion system from one’s IT system may mitigate some of the damage, it neglects the possibility that potentially destructive malware could easily have been planted on OT systems as well. And the impact of OT breaches can be more significant than mere IT penetration; OT consists of systems that affect the physical world. 

SolarWinds Orion is a popular network management system with a base of up to 18,000 customers and an indefinite number of sites.Users include not only governments and end users but also equipment suppliers, which could significantly expand the scope of the attack.This large base of users, many of whom have mission-critical sites, made it an ideal target for a cyberattack by Russian operatives. 

SolarWinds is used to manage complex enterprise networks using the Simple Network Management Protocol (SNMP). SNMP has been adopted by virtually all vendors of IT servers, IT networks and OT Ethernet switches. SNMP is also embedded into OT systems such as uninterruptible power supplies (UPSs), power distribution units, switchgear, computer room air handler units and other control system devices. The actors could then utilize these compromised control system devices to create real-world harm, as demonstrated infamously by the Idaho National Laboratory in 2007. 

As a nation-state attack, time and money were no object; the targets were the issue. Consequently, the Russian government strategically chose a critical supply chain partner to thousands of companies. The Russian government, by leveraging its nation-state capabilities, was able to compromise the software update process of SolarWinds, which was previously thought to be very difficult to penetrate. SolarWinds’s cyber protections included two-factor authentication, digital key certificates and signed firmware upgrades. The compromise of these “unbreakable” systems enabled this Russian group to have undetected, unfettered access to key IT and OT devices throughout mission-critical networks. By attacking the SolarWinds platform, the Russians were able to get a “two-fer,” that is, persistent access and data exfiltration from the IT networks and access to control system devices and control system OT networks. 

Weiss and Hunter note that researchers have long warned about the dangers posed by OT attacks, and that Russian hackers have become extremely adept at control system cyberattacks. They conclude:

The SolarWinds attack demonstrates that relying on 20th century tools using protocols such as SNMP makes actors in both the public and private sectors vulnerable to 21st century attacks. No protocol is going to instantly appear to supplant SNMP. As a result, it is incumbent on every owner of IT and OT systems to employ several layers of security within SNMP systems to provide additional protection. In the meantime, government and industry must work together to develop a next-generation IT and OT management protocol that provides confidentiality, integrity and availability (and safety for control system devices) to meet modern security challenges. Finally, the SolarWinds attack demonstrates that cyberattacks against IT infrastructure, whether intentionally targeting control systems or not, can also affect those control systems.