When the Supply Chain Becomes the Kill Chain
Tragically, the hackers have won yet again defeating security professionals, processes, and technology. The recent wave of successful cybersecurity attacks on key U.S. agencies, large organizations, and security companies underscores the fundamental inadequacies of the detection and forensic analysis (post breach) tool chest that is pervasive in the information technology (IT) industry today.
Hackers possess an arsenal of toolkits to discover and infect monitored systems with published exposures. Threat hunting and trusted intelligence, while essential, are insufficient as these attacks have proven once again. The threat hunter is also the hunted in this infinite war of will and resources. Once again, the low and slow attacks evaded and outpaced discovery and timely incident response. The security operations center (SOC) needs a changeup.
Cybersecurity at the Crossroads
The cybersecurity disposition is at crossroads, again. The millions of systems and billions of devices that are at risk of cyberattack are not only fragile but proliferating in our daily lives, at work, in public, and at home. Unless these systems and devices are designed for resilience and tamper resistance, there is no protection on the road ahead. Protection is an attribute of deep-rooted design; detection is an afterthought.
The root cause lies in the limitations of the means and methods. The battlefield of cybersecurity is vast and lies outside the enterprise IT perimeter. Systems are vulnerable because they are purpose-built to perform specific collaborative functions, not self-defense. This is the “soft core, hard edge” ecosystem that poses the herculean “finding the needle in the growing haystack” challenge to SOC operators.
The fundamental paradigm shift that is required to reverse the alarming trend is to differentiate threats from risks. Chasing threats (hunters) does not mitigate long-term supply chain risks (farmers). There is no truth in data, just probabilities. Relying on threat intelligence as the sole source of decision logic is a deficient analytics engine (false positives, true negatives). To defuse landed threats, risks have to be anticipated and protective countermeasures baked in.
The greatest risks today are in the blind spots created by an implicit trust in the supply chain, content updates to field systems and devices (firmware, software, configuration, operational datasets), and the global staging surface for orchestrated attacks by nation-state actors. The weaknesses in authentication methods in zero-touch ceremonies, while convenient for users, poses grave risks (Pandora’s box) without immutable identities, digital certificates, and a root of trust. The digitally transformed ecosystem that is becoming autonomous and brokerless introduces blind spots for traditional methods of activity monitoring and compliance audits in the absence of platform hardening.
From public safety systems to public utilities, industrial control systems, and consumer electronics, the target for attackers is a greenfield opportunity. The lack of resolve amongst political committees, bureaucrats, and regulators has emboldened the cybercrime syndicate. The alarming trend is the transition from user psychology-grade email phishing attacks, watering hole attacks, social networking exploits, to enterprise-grade ransomware and supply chain attacks.
Operational Technology Risk
This is a compelling indicator of device vendors, equipment manufacturers, and software vendors letting the guard down against a determined and tenacious adversary. Unless embedded protection becomes a mandatory attribute to qualify devices as trustworthy, the supply chain is at imminent risk of becoming the kill chain in the years ahead.
On the uphill road to OT/IT convergence, CISOs, risk officers and cyber insurers must judiciously evaluate innovative technologies and avoid the pitfalls of relying exclusively on incumbent network grammar and anomaly-based detection technologies. A cyberattack on operational technology (OT) will have staggering consequences from service outages to in-field manual intervention, and large-scale device recalls. The stakes are astoundingly high and therefore device protection for long-term device lifecycle management is critical.
Cyberattacks on OT devices prevail because of the risks device owners and operators are willing to take. Embarking on digital transformation without asset protection for cyber resilience will lead to IoT paralysis and brand damage down the road.