The impact of the wide-scale SolarWinds compromise could be especially acute on critical-infrastructure operators that rely on the Orion software products, while creating challenges for regulators trying to understand the security implications of the breaches affecting both government and industry systems.
“Many critical infrastructure agencies and corporations use SolarWinds,” observed former Federal Communications Commission cybersecurity chief David Simpson. The implications are vast, he explained.
“Because it measures network flows to look for anomalous patterns for external and internal data exchange, it has access to connections that are deep within the operations of networks,” Simpson said of the Orion IT-management platform. “It is a map to an organizations ‘circulatory system’ that would lend itself to traffic analysis that can then be used to target attacks on the organizations ‘nervous system’ and permission structure.”
The Cybersecurity and Infrastructure Security Agency on Sunday issued Emergency Directive 21-01 requiring federal agencies to identify and disconnect SolarWinds Orion IT products from their systems after FireEye discovered a backdoor while investigating its own breach. The cyber attack affected DHS, the Treasury Department, the Commerce Department’s National Telecommunications and Information Administration and others, including private-sector systems.
Sen. Richard Durbin (D-IL), the number-two Democrat in the Senate, called the attack “virtually a declaration of war by Russia on the United States.” What constitutes an act of war is a matter of debate in the cyber community, and it raises myriad policy questions about roles and responsibilities between government and industry. The U.S. government has yet to formally attribute the attack to Russia.
Kiersten Todt, head of the Cyber Readiness Institute, said the incident creates “a tremendous opportunity to work collaboratively and cooperatively with allies on how to respond to this kind of attack on critical infrastructure. … There absolutely has to be a response, we can’t say ‘it’s just espionage.’”
But first, organizations need to figure out where the platform is on their systems and shut it down, what’s been affected, and how they will recover.
Among critical-infrastructure groups, the Electric Subsector Coordinating Council issued a statement saying the CEO-led group “is highly engaged and already has conducted a situational awareness call on this threat. The Electricity Information Sharing and Analysis Center also has provided potential indicators of compromise and other technical data that electric companies, public power utilities, electric cooperatives, and independent power producers in North America are utilizing to run comprehensive diagnostics of their systems to identify and to remediate any threat exposure. This information sharing is representative of the strong industry-government partnership that the ESCC embodies and is vital to guarding the energy grid from all possible threats."
Information Sharing and Analysis Centers for the different critical-infrastructure sectors have “posted relevant information from government sources and from industry sources,” said one industry representative, who added, “We are planning an industry call for participants to review information and offer an opportunity for industry discussion as warranted.”
Scott Algeier, executive director of the Information Technology ISAC, told Inside Cybersecurity: “The IT-ISAC is seeing robust collaboration and engagement across our membership. We are sharing indicators of compromise through our Intelligence Management Platform. We also have distributed several analytic reports on the incident with our members as well as the CompTIA ISAO membership, through our partnership with them.”
Regulatory response
Retired Rear Adm. Simpson said deregulatory efforts during President Trump’s term will make recovery from this attack significantly more challenging.
“Regulators and other organizations charged with oversight of critical infrastructure markets will be blind to much of the risk within their sectors,” he said. “The deregulatory zeal over the last four years has led to very little progress being made in even basic obligations for the reporting of cyber attacks and recovery efforts for companies operating critical parts of our economy. They will have significant market motivation to mask the depth of intrusion and lateral spread as they seek to restore confidence in their operations.”
In response, Simpson said, “This classic market externality should be addressed, not by prescriptive regulation, but by structures that recognize that the risk to CI companies is risk that is shared by consumers, communities and the nation. Addressing the shared risk should include a fulsome sharing of information about attacks and efforts to address the impacts.”
He said, “Set up correctly, regulatory agencies would not ‘rush to enforce’ but have enough prior information about the companies in their sector to credit their previous risk management investments and help to assist in the large scale recovery efforts. The apparent enormous breadth of the SolarWinds attack and lack of cyber readiness understanding of the 30,000 plus companies for which the FCC has oversight, will make this a particular challenge for the telecommunications sector.”
Given that, he said, “Congress may want to re-look at the $1B ‘rip and replace’ funding being asked for, analyze the expected risk reduction ROI given the current threat landscape and reassess how much and where to apply future risk reduction investments in the telecommunications sector.”
The FCC referred SolarWinds questions to CISA. – Charlie Mitchell (cmitchell@iwpnews.com)