Executive Summary

    Overview

    The cyber supply chain is defined as follows:

    The entire set of key actors involved with/using cyber infrastructure: system end-users, policy makers, acquisition specialists, system integrators, network providers, and software/hardware suppliers. The organizational and process-level interactions between these constituencies are used to plan, build, manage, maintain, and defend the cyber infrastructure.”

    While most cybersecurity incidents are attributable to online attacks, countless examples used insecure cyber supply chains, introducing new types of risks, threats, vulnerabilities, and even cyber-attacks. For example:

    In 2008, the FBI seized $76 million of counterfeit Cisco equipment. According to an FBI presentation, the fake Cisco routers, switches, and cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S. Air Force, the U.S. Federal Aviation Administration, and even the FBI itself. One slide referred to the counterfeit Cisco equipment as a “critical infrastructure threat.”

    Security researchers who analyzed the 2010 Stuxnet attack on Iranian nuclear facilities believe that malware used to infect programmable logic controllers (PLCs) and modify Siemens Step 7 software was likely carried into the facilities by third-party contractors working with the Iranian government. These third-party contractors were identified, attacked, and compromised and then unknowingly transported Stuxnet into the Iranian nuclear facilities, most likely through the use of USB thumb drives.

    In 2012, the Chairman and Ranking Member of the House Intelligence Committee, Mike Rogers (R-MI) and C.A. Dutch Ruppersberger (D-MD), released a report recommending that U.S. companies avoid using telecommunications equipment manufactured by Chinese telecommunications companies Huawei and ZTE. The report highlighted U.S. critical infrastructure interconnectivity and went on to warn of the heightened threat of cyber-espionage and predatory disruption or destruction of U.S. networks if U.S-based telecommunications networks were built by companies with known ties to the Chinese state, a country known to “aggressively steal valuable trade secrets and other sensitive data from American companies.”

    According to documents leaked by Edward Snowden, the National Security Agency (NSA) intercepted networking equipment built in the United States, added backdoors for remote access capabilities, and then shipped these devices to their recipients abroad. When the hacked networking equipment was deployed online, it was programmed to phone home to NSA-controlled servers. "In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure," said Glenn Greenwald, a reporter at the Guardian at the time. Greenwald further quoted the leaked NSA report: "This call back provided us (i.e., NSA) with access to further exploit the device and survey the network."

    The 2013 data breach at U.S. retailer Target exposed the personal and credit card data of more than 110 million consumers. Security researchers believe that this attack began with a spear phishing attack on a Target HVAC contractor, Fazio Mechanical, of Sharpsburg, PA. Cyber-attackers used an e-mail message to compromise a PC at Fazio Mechanical a few months before the attack and then downloaded password-stealing malware onto the system. The perpetrator then used legitimate Fazio credentials to log onto the Target network and ultimately carry out the attack.

    While cyber supply chain security incidents like these threaten businesses and consumers alike, any type of cyber-attack on critical infrastructure organizations could result in massive societal disruption threatening national security. These concerns are exacerbated by numerous events such as:

    The Siberian gas pipeline explosion of 1982. In 1982, CIA agents learned of a Russian plot to steal western technologies for updating its outdated gas pipeline system. Armed with this knowledge, the CIA intervened with a covert operation. Unbeknownst to Soviet agents, software stolen in France was actually booby-trapped by the CIA and programmed to create havoc in a series of pumps, values, and turbines and increase pressure across the entire pipeline. Once installed, the malicious software caused a massive explosion. Leaked government documents referred to this event as, “the most monumental non-nuclear explosion ever seen from space,” in the summer of 1982.

    The Aurora test of 2007. In 2007, Idaho National Labs ran an experiment called Aurora. The experiment simulated a cyber-attack and used a computer program to rapidly open and close a diesel generator’s circuit breakers so they were out-of-phase from the rest of the electric grid. In a now famous video, this remote attack caused a 2.25 megawatt diesel generator to bounce, shake, smoke, and eventually blow up. The entire process took less than three minutes, but researchers believe that a true cyber-attack could have destroyed the generator in less time. This experiment proved that a knowledgeable cyber-adversary could cause massive disruptions to the U.S. power grid. Furthermore, a diesel generator like the one destroyed in this experiment could take months to build, ship, and replace, meaning that a cyber-attack like Aurora could have long-term national security implications.

    The cyber-attacks on Estonia in 2007. In 2007, the Estonian government removed a Soviet-era statue, the Bronze Soldier of Tallinn, from the city. This action was taken as an insult by Russian nationals within Estonia and some members of the Russian cybersecurity community within and outside the government. In April 2007, the small Baltic nation experienced a wave of devastating distributed denial-of-service (DDOS) attacks that disrupted the services of the Estonian banks, broadcasters, ministries, newspapers, and parliament. The Estonian attacks are sometimes referred to as the first documented acts of cyberwar.

    The cyber-theft of the F-35 Joint Strike Fighter and other military secrets. In 2015, NSA documents leaked by former contractor, Edward Snowden, revealed that cyber-attackers in China obtained more than 50 terabytes of data from U.S. defense contractors and government networks. This data included detailed plans about the F-35 Joint Strike Fighter’s stealth radar and engine. By learning about these and other design points, Chinese defense companies were able to include similar designs and technologies in China’s new stealth jet, the J-20. The secret also could allow Chinese air defenses to target the F-35 in a future conflict.

    The potential for a devastating cyber-attack on U.S. critical infrastructure has had Washington’s attention for a number of years. In 1998, Deputy Defense Secretary John Hamre cautioned the U.S. Congress about critical infrastructure protection (CIP) by warning of a potential “cyber Pearl Harbor.” Hamre stated that a devastating cyber-attack “… is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”

    After taking office, President Obama stated:

    “From now on, our digital infrastructure, the networks and computers we depend on every day will be treated as they should be; as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy, and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”

    In 2012, defense secretary, Leon Panetta, echoed these earlier warnings, stating that the U.S. faced a potential “cyber Pearl Harbor,” and was vulnerable to an increasing number of foreign hackers who could disrupt U.S.-based power grids, transportation networks, financial systems, and the government itself. Finally, in February 2015 at a cybersecurity summit held at Stanford University, President Obama announced five priorities to strengthen the U.S. approach to cybersecurity threats:

    1. Protecting the country's critical infrastructure—our most important information systems—from cyber-threats.

    2. Improving the country’s ability to identify and report cyber-incidents so that we can respond in a timely manner.

    3. Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace.

    4. Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets.

    5. Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector.

    There is clear evidence that the U.S. critical infrastructure faces a state of constant cyber-attack and a successful breach could have devastating consequences. Are critical infrastructure organizations adequately prepared to defend themselves? Do they have the right controls and oversight in place for cyber supply chain security? Are government agencies providing critical infrastructure organizations with the right programs and support? This ESG research report is intended to explore the answers to these important questions.

    Report Conclusions

    ESG surveyed 303 IT and cybersecurity professionals representing large midmarket (500 to 999 employees) organizations and enterprise-class (1,000 employees or more) organizations in the United States within 16 vertical industries designated as critical infrastructure by the U.S. Department of Homeland Security (DHS).

    The survey focused on critical infrastructure organizations’ current cybersecurity processes in general and cyber supply chain security awareness and safeguards in particular. Based on the data collected, ESG concludes:

    The threat landscape has grown more dangerous for critical infrastructure organizations. Nearly one-third (31%) of critical infrastructure organizations believe that the threat landscape (i.e., cyber-adversaries, cyber-attacks, exploits, malware, etc.) is much worse today than it was two years ago, while another 36% say that the threat landscape has grown somewhat worse in the past two years. Alarmingly, only 37% of critical infrastructure organizations rate their cybersecurity policies, processes, and technology safeguards as excellent and capable of addressing almost all of today’s threats. The remaining 63% aren’t nearly as confident.

    Critical infrastructure organizations are under attack. A majority (68%) of critical infrastructure organizations have experienced various cybersecurity incidents over the past two years, including compromises of an employee system, data breaches due to lost or stolen equipment, insider attacks, and breaches of physical security. Over one-third (36%) of these security incidents resulted in the disruption of a business process and/or critical operations. The ramification is clear: Cyber-attacks are already impacting critical infrastructure operations and could certainly disrupt services.

    Cyber supply chain security is growing more difficult. A majority (60%) of critical infrastructure organizations believe that cyber supply chain security is much more difficult or somewhat more difficult than it was two years ago. Of those that believe that cyber supply chain security has become more difficult, 44% equate this change to new types of IT initiatives that increased the cyber supply chain security attack surface, 39% say that they have more IT suppliers than two years ago, and 36% have consolidated IT and operational technology (OT) security, increasing cyber supply chain complexity.

    IT vendor cybersecurity audits remain haphazard. While more critical infrastructure organizations audit their IT supplier’s security processes and metrics today than five years ago, audit processes remain somewhat ad-hoc. For example, only 14% of the critical infrastructure organizations surveyed audit the cybersecurity practices of all strategic IT infrastructure vendors, use standard processes for these IT vendor audits, and use the results of these audits as formal guidelines for IT procurement decisions. In spite of progress in IT security auditing over the past five years, many critical infrastructure organizations still treat IT vendor security as a check-box exercise rather than a serious risk management requirement.

    Critical infrastructure organizations continue to employ risky IT technologies. As evidence of continuing cyber supply chain security risk, 58% of critical infrastructure organizations admit that they use products or services from IT vendors that have product and/or internal process security issues that are cause for concern.

    Third-party IT relationships exacerbate cyber supply chain risk. Critical infrastructure services often rely on a vast network of connected organizations. Fifty eight percent of the organizations surveyed claim that they use IT services or business applications provided by third parties, while 48% provide IT service or business application access to third-party business partners. Of those critical infrastructure organizations with these types of external IT relationships, 38% provide IT access to more than 100 third-party organizations, while 27% consume IT services and business applications from more than 100 third parties. Most critical infrastructure organizations protect these third-party IT relationships with security controls and some oversight, but these safeguards are not nearly as formal or process-oriented as they should be.

    Software security remains a major concern. One-third of critical infrastructure organizations have experienced some type of security incident directly related to the compromise of internally developed software. This is particularly concerning since critical infrastructure services depend upon specialized processes often requiring homegrown software. To address software vulnerabilities, many critical infrastructure organizations have put secure software development processes in place, but only half of these firms implement these methodologies across the entire enterprise.

    Critical infrastructure organizations want more help from Washington. Only 22% of cybersecurity professionals working at critical infrastructure organizations believe that the U.S. government’s cybersecurity strategy is extremely clear and thorough, while the remaining 88% are somewhat confused by Washington. Additionally, 45% believe that the U.S. government should be significantly more active with cybersecurity strategies and defenses. Those on the critical infrastructure cybersecurity front lines would like Washington to create better methods for sharing security intelligence with the private sector, black list IT vendors with poor cybersecurity track records, and limit government IT purchases to those vendors with demonstrably superior product and process security.