• IPG

Supply Chains Are In The Cyberattack Crosshairs

Over the past year, we’ve already seen substantial cyberattacks against critical infrastructure and supply chains.

Whereas ransomware attacks are largely motivated by money, the motivation of software supply chain attacks is surveillance, espionage and data exfiltration. Critical infrastructure attacks are generally intended to cause disruption, destabilization, chaos and even physical harm—an interesting turn of events considering it wasn’t long ago that we believed cyberattacks could not be used to cause physical harm.

Here are a few telling examples that prove physical harm is very much a possible result of cyberattacks:

• In 2001, a hacker in Australia accessed a computerized waste management system and dumped sewage into local parks and rivers.

In 2007, Stuxnet reportedly destroyed numerous centrifuges in an Iranian uranium enrichment facility.

In 2008, a hacker in Poland was able to redirect and derail trains resulting in injury to a number of people.

In 2011, a hacker was able to gain access to a hospital HVAC system, which put drugs and medical supplies at risk.

In 2013, a cyberattack on a dam in New York State attributed to Iran could have resulted in the dam flooding a nearby town. Fortunately, this did not happen, but that scenario was well within the realm of possibility.

• In 2014, a phishing attack was used to gain login credentials, allowing hackers to disrupt control systems and shut down parts of a German steel mill. This resulted in significant damage to the mill’s blast furnace.

• In 2021, a cyberattack against a water treatment facility in Florida contaminated drinking water that could have harmed humans. Fortunately, sensors detected the contamination before anyone was impacted.

In a previous Forbes article, I theorized about cyberattacks against our power grid. I asked what might happen if the power grid in the desert southwest was taken down in the middle of summer. The potential for human harm is unthinkable.

Unlike critical infrastructure attacks, software supply chain attacks are typically intended for surveillance and espionage. Other similar cases of software supply chain attacks used to inflict pain include:

• The Microsoft Exchange Server attack in 2021 resulted from previously unknown zero-day vulnerabilities. It is believed that China was behind this attack in an attempt to steal technology to help advance their artificial intelligence efforts.

• With the Kaseya breach, hackers compromised a vendor’s software, allowing ransomware-related malware to be pushed to customers. Ransomware suggests the primary motivation as money.

Many of these critical infrastructure and supply chain attacks have been perpetuated via phishing, allowing malware to be dropped on computer systems. In some cases, this is intended to go undetected so that surveillance and data exfiltration can happen without the system owner knowing. The motivation in these cases is not about money. In situations like ransomware, the impact is immediate and intentionally visible, and the motivation is entirely financial in nature. These attack types are both used against critical infrastructure to cause harm or to take over systems and data to extract ransom payments from victims.

What Does It All Mean?

The key takeaway from these attacks is that the United States is vulnerable in many different ways. Our desire to connect everything to the public internet makes many of these attacks possible. However, Stuxnet proved that even air-gapped systems aren’t safe, as the attack was reportedly deployed via a thumb drive.

Despite all of the evidence and weekly warnings about new attacks on critical infrastructure and our supply chain, the U.S. has repeatedly demonstrated its vulnerability to these attacks, and the stakes will only increase. Given the results can be catastrophic, organizations across industries must take immediate steps to improve security and risk posture to prevent attacks on our supply chain and critical infrastructure.

It’s time to take these security threats seriously. The good news is the administration is defining standards to manage software supply chain risk and there are calls for mandating cyber security practices across critical infrastructure. For organizations looking for a place to start in shoring up their cyber defenses, there’s an abundance of information available on what can be done to reduce the risk of these and other cyberattacks, including free expert guidance from DHS, CISA and NIST.

We know what we need to do and how to do it. It’s high time we got started.

2 views0 comments

Simple. Powerful. Cybersecurity.

IPG’s GearBoxTM is the first cybersecurity tool designed to secure and protect the Internet of Things (IoT).