Better safe than sorry – current research on IT attacks via supply chains
"The Internet is on fire" – that was the message in mid-December 2021 when a security loophole in the Java framework log4j became known, making a wide range of cyber-attacks possible. The Federal Office for Information Security then raised a "red" alert, the highest warning level. Quite a number of companies around the world have turned out to be affected. On behalf of the Federal Ministry for the Environment, GRS experts are analysing cyber-attacks and security incidents that may also be relevant for German nuclear facilities and installations in order to protect them accordingly.
In our increasingly digitalised world, cyber-attacks have become as commonplace as stagecoach robberies in the Wild West. However, gold and banknotes are no longer the prey in such attacks. Nowadays, sensitive data is often the target, for example data that is then encrypted in order to extort a ransom. In addition to the targets, the perpetrators and their methods have also changed. What has remained the same is that a successful attack needs to be well planned and possible weak points identified. An increasingly popular strategy to circumvent security barriers are attacks related to the supply chain of IT systems. The attackers select a link in the supply chain to infiltrate and gain access to their targets of interest.
Cyber-attacks via the supply chain on the rise
Such attacks via the supply chain have become more important in the last ten years, both in terms of security understanding and possibilities for attack. For example, more and more incidents are being registered in which IT systems already infected with malware are delivered and installed. In addition to the manipulation of hardware before delivery, there are other forms of attack, such as the infiltration of malicious code into software through the manipulation of software updates. Another possibility is attacks via identified vulnerabilities in the code, such as those currently occurring worldwide via the Java framework log4j.
The infected systems usually come from suppliers who are often themselves unaware that their product has been tampered with. However, these systems can pass through a number of security barriers (such as anti-virus software) largely unhindered. Not only office computers can be affected, but also industrial control systems including operational digital control systems and safety-related instrumentation and control systems or so-called IoT devices that are interlinked via the internet and exchange data and information.
One prominent example of a typical cyber-attack via the supply chain is the attack via manipulated products of the US company SolarWinds in 2020: Thousands of SolarWinds customers were compromised by the products. A large number of US authorities and companies were spied on, in some cases unnoticed for months, with the help of spyware that had gained access via a manipulated update to SolarWinds' Orion network management software. Victims included the US Treasury and State Department, parts of the Pentagon and the US Department of Energy and its subordinate National Nuclear Security Administration, which manages the US nuclear arsenal; there were also victims in Germany and Europe.
Critical infrastructures such as NPPs may also become targets of attacks
Another well-known attack dates back to 2017: The malware NotPetya spread worldwide across the IT networks of banks, companies and other organisations, destroyed all stored data of the affected systems and attempted to infect further IT systems. Within a few days, an estimated economic damage of about 10 billion dollars was caused. In addition to a large number of global companies, the decommissioned Chernobyl nuclear power plant was also affected: Some computer systems failed completely so that, for example, radioactivity at the site had to be measured manually.
If critical infrastructures such as nuclear power plants (NPPs) are affected by cyber-attacks, safety and security-relevant aspects are quickly added to the economic aspects. For this reason, a team of GRS researchers commissioned by the Federal Ministry for the Environment, Nature Conservation and Nuclear Safety is currently dealing specifically with questions regarding cyber-attacks via the supply chain. In doing so, the researchers are analysing concrete cyber-attacks and security incidents and identifying aspects that may be relevant for nuclear facilities and installations. These can then be taken into account in the computer security concept.
The work builds on the results of a preliminary study conducted by GRS in which the current state of the art in science and technology as well as several relevant cyber-attacks on critical infrastructures were evaluated. In addition to the NotPetya attack on the Ukrainian Chernobyl NPP, the scientists also investigated malware findings in a Japanese and a German NPP. Furthermore, cyber-attacks via the supply chain were recorded that, while not related to nuclear facilities, could also have taken place there.
Precautions to defend against cyber-attacks via the supply chain
The results obtained in the preliminary study provide the basis for the recently launched follow-up project, within the framework of which the researchers are conducting more in-depth investigations into the necessary precautions. The aim is to derive concrete measures for the prevention and defence against cyber-attacks via the supply chain. In a first step, the cyber-attacks already listed in the preliminary study will be examined in more detail. From this, the scientists want to derive the potential risk posed by cyber-attacks via international supply chains to nuclear facilities. They also want to find ways to detect such attacks at an early stage. Project leader Dr Oliver Rest describes the procedure as follows: "We first want to develop a system or taxonomy of attacks. In doing so, we look at questions such as: What differences and similarities do the attacks have? What different types of attacks can be identified? And, very importantly, what possibilities are there to recognise such an attack at an early stage and to react to it? Based on such questions, we want to find common denominators that allow us to group cyber-attacks according to qualitative aspects."
In a next step, the scientists will look at the existing set of regulations on computer security for nuclear facilities and other critical infrastructures. The central question here is to what extent the regulations take into account the increasing danger posed by cyber-attacks via the supply chain. "Our goal is, of course, to adapt the regulations to current developments in the area of cybercrime. To this end, we want to identify any backlog needs and develop proposals on how these needs can be integrated into the existing regulations," says Oliver Rest.
Title: "Investigation of computer security measures to ensure computer security in the supply chain"
Term: 30 months
Commissioned by: Federal Ministry for the Environment, Nature Conservation and Nuclear Safety
Jan Karl Klebert