RSA Conference 2019: Operational Technology Widens Supply Chain Attack Surfaces

Between operational technology and open source, the supply chain is rapidly expanding – and companies that can’t keep up will be the next security targets, said experts at RSA Conference 2019.

SAN FRANCISCO – Today’s supply chain has evolved, with operational technology (OT) used in factories increasingly becoming connected and converging with IT systems — introducing new attack vectors. This new reality is vital for companies to understand in the context of risk, according to Dawn Cappelli, vice president of global security and CISO at Rockwell Automation and Edna Conway, chief security officer at the global value chain at Cisco Systems, speaking at the RSA Conference 2019 this week.

“The third-party risk landscape is much bigger than it used to be,” said Conway. “The threats are continuing to rise – and with IT and OT convergence, the way those threats manifest themselves is becoming very interesting. We all have to work together and put together a risk-based approach, and have to figure out as a community how we can help small to mid-sized businesses secure themselves.”

Third-party ecosystems have grown drastically and are now extremely diverse and broad. When a consumer or business adopts a device, that device will be a product not only of the OEM (such as Apple, Dell, Samsung, Sony, etc.) and their hardware component suppliers and software vendors, but also extenuating partners of these device manufacturing partners.

With so many interconnected players in the system, the supply chain already provides a ripe opportunity for hackers to exploit a single vulnerability and hit several companies at once – and grab customers’ data. And, with the widening tech ecosystem and more partnerships being formed all the time, it’s difficult to pinpoint and prevent them.

This can be seen playing out in news headlines: In the past year, breaches at Delta Airlines and Best Buy both stemmed from third-parties and an insecure supply chain.

Making matters worse, factories, which is where many of these partnerships intersect, are increasingly implementing connected IoT devices on the factory floor to better monitor events, processes and devices. This further complicates supply-chain security by introducing tens, hundreds or even thousands of exposed devices into the environment that could potentially be compromised by an attacker. At the same time, factories are integrating IT systems in order to leverage data-centric computing to go along with this shift to “smart” ecosystems.

Unfortunately, Cappelli and Conway pointed out that IT teams lack an awareness of the tedious challenges, requirements and even culture of those on the operational-technology side. At the same time, in OT, a specialized, skilled workforce is tasked with running ICS such as programmable logic controllers (PLCs) and heating, ventilation and air conditioning (HVAC) systems, and many OT teams don’t understand the culture of IT, and are still in the dark when it comes to critical IT issues like security.

This all has had consequences: according to Fortinet,  almost 90 percent of organizations with connected OT infrastructures have experienced a security breach within their supervisory control and data acquisition (SCADA) and ICS architectures.

The most high-profile case of an issue arising from OT-IT integration was probably the 2013 Target breach. As is not uncommon, the big-box retailer hired a third-party integrator for environmental control, which is generally done remotely over the internet rather than sending technicians on-site. Hackers exploited weaknesses in the HVAC provider’s billing system, then pivoted into Target’s IT network. Ultimately, hackers made off with the bank-card data of 41 million Target customers.

Today, with this kind of convergence happening at the factory level, and combined with already complex supply chains and the rise of IoT in production environments, the risk from such attacks has expanded exponentially.

Faced with these new challenges, at a high level, companies can start with the basics to protect themselves. Those include building a foundation to understand who and what’s in their ecosystem, and what partners are delivering. Other basics include developing a road map for projects that addresses third-party security.

“The new attack surface is functional,” said Conway. “Data will always be important, but an attacker wants to hit you where you operate. And with the convergence of IT and OT, we need to educate not only the government, but also the next generation of consumers.”

For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here

Suggested articles