Is the SolarWinds Hack an OT Level threat?

The SolarWinds hack has been all over the press.  The software is used to monitor applications and networks at thousands of companies and most importantly US Federal and State government departments and agencies.  Orion SolarWinds is a common platform that provides all kinds of IT-level management and performance monitoring functions.  Orion products include network performance monitoring, server and application monitoring, network configuration management, and many other functions.  The attacker, reported by the media as the Russian Advanced Persistent Threat (APT) group Cozy Bear, also known as APT29, the same group behind the 2016 DNC hack.  Most recently, the group was cited as the force behind the theft of COVID-19 related vaccine data in July of 2020.  

The SolarWinds attack first made it into the news after the successful breach of cybersecurity firm FireEye in early December, resulting in the theft of FireEye offensive or “red team” tools.  Since then, other high-profile victims have been identified, including the US Department of State, DHS, US Department of Commerce, and the US Treasury.  Overall, the attack is estimated to have affected 18,000 Orion customers.  FireEye has released its own report on the attack.  

The CISA alert on the SolarWinds attack states that the attack poses “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”  The attackers have been in these compromised networks for months, and it could take many months more to eliminate them completely.  Cybersecurity expert and Harvard Fellow Bruce Schneier stated that the only way to ensure that a hacked sensitive government network is secure is to “burn it down and rebuild it.”

What is the Impact at the OT Level?

Most of the advisories and alerts issued by agencies like CISA and companies like FireEye emphasize the IT level threats posed by the SolarWinds attack and its associated SUNBURST malware.  However, SolarWinds can also be used to monitor network traffic at the OT level.  For example, the SolarWinds network monitoring tool can monitor the performance of SNMP networks and devices, which are heavily used in applications like industrial and building automation.  
Cybersecurity firm Dragos has pointed out the potential threats to OT level networks, devices, and systems in a recent advisory.  Dragos states:

 …It is important to understand SolarWinds’ role in the overall architecture. It is very possible that a SolarWinds Orion installation is designed to actively poll SNMP of field equipment or PLCs at Purdue Level 1 or Level 2. If there are no firewalls between SolarWinds and the monitored devices, this could allow the adversary to directly interact with field equipment or PLCs. Even if there are firewalls between SolarWinds and the devices their access control may be overly permissive, still allowing for unfettered interactions with equipment. Finally, beyond firewall rules, if the SNMP traps allow for setting data values (changing configuration), the firewall rules are not effective and could still permit device modification or even remote exploitation.  

You can also check out the Dragos article for mitigation measures specific to OT level networks and systems.  In Control Magazine’s Unfettered column by Joe Weiss, he also highlights the potential risk at the OT level for things like building automation systems, switchgear, power distribution units, rack distribution units, UPSs, HVAC and environmental monitoring systems for buildings and data centers, and temperature and humidity sensors.  

The Lines Between IT and OT are Blurring

The risks to the OT level should not be underestimated, even in what is largely characterized as an IT level attack.  FireEye, for example, recently called for a more holistic view of threats across both IT and OT realms, since many attacks that affect the OT and ICS level are initiated in the IT world.  Similarly, IT-level attacks can be mounted from the OT level, as we saw in the Target hack.  Industrial IoT and edge-based systems are blurring the lines between IT and OT even further.  

Highlighting the Importance of Vetting third Party Partners for Cybersecurity

This was pretty clearly an attack mounted by an APT with access to nation-state resources, so it is unsure what end-users could have done to prevent such an attack, given the resources and effort put into it.  However, the incident does raise the important issue of vetting third-party service and software providers for their own cybersecurity practices.  The SolarWinds attack is a supply chain hack, reaching from SolarWinds' own servers into customer organizations.  The malware was “deployed as part of an update from SolarWinds’ own servers,” according to this analysis from SANS, and that supply chain compromises will continue and are extremely difficult to defend against.  

Cyber Risk Associated with a “Single Pane of Glass”

The SolarWinds platform is a “single pane of glass” approach that provides a unified environment for monitoring and improving the performance of networks and applications throughout an enterprise.  Part of the reason the attack was so successful was SolarWinds’ reach across a huge swath of the IT infrastructure.  To monitor applications and networks, the platform requires access to a broad range of networks, applications, and assets.  By compromising SolarWinds, attackers were able to gain equally broad access.  This underscores the importance of evaluating and continuously reevaluating the cybersecurity posture of your suppliers and partners, particularly those that offer broad-ranging solutions that incorporate diverse sources of data across the enterprise.