Evolving Security Threats and Emerging Regulations in Operational Technology (OT) Software Supply Chains

Published on 02 Aug 2023

The global trend of malicious cyber attacks on Critical Information Infrastructure (CII) such as utilities, transportation and manufacturing, shows no signs of abating. Threat actors and adversaries have discovered that the Operational Technology (OT) underpinning these critical resources are vulnerable to cyber attacks. They've also discovered that a successful attack can be devastating to a country’s citizens and cause political and economic uncertainty. The ransomware attack on the Colonial Pipeline in 2021 resulted in cancelled flights and millions of Americans unable to purchase fuel for their automobiles. Attacks by Russian security agents on the Ukrainian power grid in 2016 left 700,000 people without power in the middle of winter. 

Singapore is not immune to these threats. As a country dependent on highly connected technologies to maintain its water, energy, transportation, petrochemical and manufacturing capabilities, combined with the evolving transboundary cyber threat landscape, Singapore is seen as a potential target. The attackers’ motivation may be political, as in the case of the attacks on the Ukrainian power grid, or it may be purely financial, as in the Colonial Pipeline attack, but the impact can be crippling if Singapore is not prepared.

The Singapore government’s establishment of the Operational Technology Cybersecurity Expert Panel (OTCEP) and its forum has been a significant step forward. By tapping into the combined experience of industry experts from around the world, Singapore has developed world-class policies and procedures and shared that expertise with the stakeholders responsible for its critical systems.

The 2020 attack on the SolarWinds software company highlighted the software supply chain as a worrisome new vector of exploitation. It revealed how attractive it is for threat actors to attack a trusted supplier (the SolarWinds company) to gain access to their intended targets — in this case, multiple U.S. military and government agencies. In total, the attackers gained access to over 18,000 corporate and government systems at major telecommunications firms, power companies and most of the US Fortune 500 companies. Fortunately, the attackers only chose to exploit a tiny fraction of these beachheads - estimates by CISA say under 100 - but still it was a tidy day’s work after compromising a single software company.

Since this high profile incident, software supply chain attacks are increasing at an alarming rate — 742% according to Sonatype. Governments in the U.S and Europe have acknowledged the urgency of this threat, swiftly issuing new legislation and directives. I expect to see all global regions follow suit; no country is immune because software supply chains cross borders, and thus cooperation is key. 

I’ve been asked what worries me more, ransomware or supply chain attacks. I usually reply “the combo” because they are not mutually exclusive. Ransomware is the payload; the supply chain is the attack vector. Attackers are beginning to “mix and match” their strategies, as we saw in the 2021 Kaseya attack. Kaseya, who makes software used by numerous Managed Security Providers, was the inadvertent vehicle for distributing ransomware to over 800 small to medium sized businesses (MSB). Fortunately, most MSBs don’t operate OT systems, but the effectiveness of a hybrid attack was certainly not lost on Singapore’s threat actors and adversaries. 

Ensuring software supply chain security is now a critical aspect of overall business strategy, especially for companies involved in CII. Transparency across the software supply chain and awareness of all third-party embedded software can help save lives and protect the critical processes and equipment that modern society relies upon.

With the emergence of disruptive technologies, it is crucial for OT system operators and vendors to be ready to innovate. Consider the role of Artificial Intelligence (AI) in cybersecurity — will it be a hero or a villain? Researchers have demonstrated how threat actors can take advantage of generative AI systems like ChatGPT to poison the software supply chain. While developers may look to AI to recommend software packages in common repositories, the suggestions they get back often contain what are known as “hallucinations” — realistic sounding packages that don’t actually exist. All an adversary needs to do is create a malicious package, name it after the hallucination, and wait for the incautious developers to include it in software they create. 

The fact that threat actors are leveraging AI is all the more reason to embrace new technologies to counter their strategies and prevent, rather than react, to attacks. AI offers powerful analysis capabilities to perform tasks that would otherwise take huge cybersecurity teams (that are rare) to spend vast amounts of time (that they don't have) on tasks better suited for a machine. For example, the only feasible approach to performing continuous, real-time vulnerability tracking across the many millions of products and vulnerabilities announced each year is to use machine learning and natural language processing. It is simply not a job for human beings, who can add far more value elsewhere. 

Looking forward, expect to see more regulatory initiatives to support the efforts of the U.S. and Europe and expect to see a growing appetite in the private sector for the same level as transparency that governments are now requiring. Software Bill of Materials (SBOM) as a form of software attestation is now a mainstream expectation and tools that generate and manage SBOMs are becoming widespread. Greater visibility into the software supply chain security will become a board-level objective as companies seek to quantify and limit risk.

The pace at which generative AI technology is advancing, and the poor defences we currently see in most software supply chains demands global attention. The OTCEP forum provides an ideal opportunity for OT cybersecurity practitioners from around the world to share their experiences and learn best practices to enhance Singapore’s OT cyber resilience.  My talk at the Forum will address evolving threats to and emerging regulations for OT software supply chain security. The recommendations and insights from key thought leaders in the public and private sectors are also important in the development of localised capabilities in OT cybersecurity. Collectively, we can build a safe and resilient OT cyber environment for all.

 


 

Mr Eric Byres is a member of Cyber Security Agency of Singapore (CSA)’s Operational Technology Cybersecurity Expert Panel comprising cybersecurity experts around the world.  He is also the Chief Technology Officer of aDolus Technology Inc, a cybersecurity research and development company focusing on improving the cybersecurity of the software supply chain for OT.  Eric is best known for inventing and successfully commercialising the Tofino Firewall, the world’s most widely deployed ICS security appliance.