Overview
The cyber supply chain is defined as follows:
The entire set of key actors involved with/using cyber infrastructure: system end-users, policy makers, acquisition specialists, system integrators, network providers, and software/hardware suppliers. The organizational and process-level interactions between these constituencies are used to plan, build, manage, maintain, and defend the cyber infrastructure.”
While most cybersecurity incidents are attributable to online attacks, countless examples used insecure cyber supply chains, introducing new types of risks, threats, vulnerabilities, and even cyber-attacks. For example:
In 2008, the FBI seized $76 million of counterfeit Cisco equipment. According to an FBI presentation, the fake Cisco routers, switches, and cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S. Air Force, the U.S. Federal Aviation Administration, and even the FBI itself. One slide referred to the counterfeit Cisco equipment as a “critical infrastructure threat.”
Security researchers who analyzed the 2010 Stuxnet attack on Iranian nuclear facilities believe that malware used to infect programmable logic controllers (PLCs) and modify Siemens Step 7 software was likely carried into the facilities by third-party contractors working with the Iranian government. These third-party contractors were identified, attacked, and compromised and then unknowingly transported Stuxnet into the Iranian nuclear facilities, most likely through the use of USB thumb drives.
In 2012, the Chairman and Ranking Member of the House Intelligence Committee, Mike Rogers (R-MI) and C.A. Dutch Ruppersberger (D-MD), released a report recommending that U.S. companies avoid using telecommunications equipment manufactured by Chinese telecommunications companies Huawei and ZTE. The report highlighted U.S. critical infrastructure interconnectivity and went on to warn of the heightened threat of cyber-espionage and predatory disruption or destruction of U.S. networks if U.S-based telecommunications networks were built by companies with known ties to the Chinese state, a country known to “aggressively steal valuable trade secrets and other sensitive data from American companies.”
According to documents leaked by Edward Snowden, the National Security Agency (NSA) intercepted networking equipment built in the United States, added backdoors for remote access capabilities, and then shipped these devices to their recipients abroad. When the hacked networking equipment was deployed online, it was programmed to phone home to NSA-controlled servers. "In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure," said Glenn Greenwald, a reporter at the Guardian at the time. Greenwald further quoted the leaked NSA report: "This call back provided us (i.e., NSA) with access to further exploit the device and survey the network."
The 2013 data breach at U.S. retailer Target exposed the personal and credit card data of more than 110 million consumers. Security researchers believe that this attack began with a spear phishing attack on a Target HVAC contractor, Fazio Mechanical, of Sharpsburg, PA. Cyber-attackers used an e-mail message to compromise a PC at Fazio Mechanical a few months before the attack and then downloaded password-stealing malware onto the system. The perpetrator then used legitimate Fazio credentials to log onto the Target network and ultimately carry out the attack.
While cyber supply chain security incidents like these threaten businesses and consumers alike, any type of cyber-attack on critical infrastructure organizations could result in massive societal disruption threatening national security. These concerns are exacerbated by numerous events such as:
The Siberian gas pipeline explosion of 1982. In 1982, CIA agents learned of a Russian plot to steal western technologies for updating its outdated gas pipeline system. Armed with this knowledge, the CIA intervened with a covert operation. Unbeknownst to Soviet agents, software stolen in France was actually booby-trapped by the CIA and programmed to create havoc in a series of pumps, values, and turbines and increase pressure across the entire pipeline. Once installed, the malicious software caused a massive explosion. Leaked government documents referred to this event as, “the most monumental non-nuclear explosion ever seen from space,” in the summer of 1982.
The Aurora test of 2007. In 2007, Idaho National Labs ran an experiment called Aurora. The experiment simulated a cyber-attack and used a computer program to rapidly open and close a diesel generator’s circuit breakers so they were out-of-phase from the rest of the electric grid. In a now famous video, this remote attack caused a 2.25 megawatt diesel generator to bounce, shake, smoke, and eventually blow up. The entire process took less than three minutes, but researchers believe that a true cyber-attack could have destroyed the generator in less time. This experiment proved that a knowledgeable cyber-adversary could cause massive disruptions to the U.S. power grid. Furthermore, a diesel generator like the one destroyed in this experiment could take months to build, ship, and replace, meaning that a cyber-attack like Aurora could have long-term national security implications.
The cyber-attacks on Estonia in 2007. In 2007, the Estonian government removed a Soviet-era statue, the Bronze Soldier of Tallinn, from the city. This action was taken as an insult by Russian nationals within Estonia and some members of the Russian cybersecurity community within and outside the government. In April 2007, the small Baltic nation experienced a wave of devastating distributed denial-of-service (DDOS) attacks that disrupted the services of the Estonian banks, broadcasters, ministries, newspapers, and parliament. The Estonian attacks are sometimes referred to as the first documented acts of cyberwar.
The cyber-theft of the F-35 Joint Strike Fighter and other military secrets. In 2015, NSA documents leaked by former contractor, Edward Snowden, revealed that cyber-attackers in China obtained more than 50 terabytes of data from U.S. defense contractors and government networks. This data included detailed plans about the F-35 Joint Strike Fighter’s stealth radar and engine. By learning about these and other design points, Chinese defense companies were able to include similar designs and technologies in China’s new stealth jet, the J-20. The secret also could allow Chinese air defenses to target the F-35 in a future conflict.
The potential for a devastating cyber-attack on U.S. critical infrastructure has had Washington’s attention for a number of years. In 1998, Deputy Defense Secretary John Hamre cautioned the U.S. Congress about critical infrastructure protection (CIP) by warning of a potential “cyber Pearl Harbor.” Hamre stated that a devastating cyber-attack “… is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”
After taking office, President Obama stated:
“From now on, our digital infrastructure, the networks and computers we depend on every day will be treated as they should be; as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy, and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”
In 2012, defense secretary, Leon Panetta, echoed these earlier warnings, stating that the U.S. faced a potential “cyber Pearl Harbor,” and was vulnerable to an increasing number of foreign hackers who could disrupt U.S.-based power grids, transportation networks, financial systems, and the government itself. Finally, in February 2015 at a cybersecurity summit held at Stanford University, President Obama announced five priorities to strengthen the U.S. approach to cybersecurity threats:
1. Protecting the country's critical infrastructure—our most important information systems—from cyber-threats.
2. Improving the country’s ability to identify and report cyber-incidents so that we can respond in a timely manner.
3. Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace.
4. Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets.
5. Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector.
There is clear evidence that the U.S. critical infrastructure faces a state of constant cyber-attack and a successful breach could have devastating consequences. Are critical infrastructure organizations adequately prepared to defend themselves? Do they have the right controls and oversight in place for cyber supply chain security? Are government agencies providing critical infrastructure organizations with the right programs and support? This ESG research report is intended to explore the answers to these important questions.