Software Supply Chain-Still a Vulnerability for our Critical Infrastructure

From Stuxnet to Colonial Pipeline

Although more than a decade has gone by, Stuxnet is regarded as the incident that initiated the use of a malware delivery platform that could deploy multiple 0-days attacks simultaneously. Since then, a series of attacks with monikers like duqu and flame evolved, sometimes called the sons-of-stuxnet. In some ways Stuxnet solidified a more industrial strength process for developing malware. 

This also means for the rest of us in the post-stuxnet world, we needed to focus on finding better ways to protect our critical infrastructure from platform-based malware attacks that exploit vulnerabilities in code. Given present day software development practice, most of the code developed to manage our critical infrastructure control systems resides in Git repositories. This in itself creates additional vulnerabilities. However, it also creates the opportunity to address security for the software supply chain.

So why categorize Stuxnet as a supply chain attack?

The Stuxnet malware was a very complex piece of malware engineering. There were at least three (maybe even more) facets to its deployment and operation that help classify it as a software supply chain attack

1. It used (stolen) Secrets in Code

2. It relied on Infrastructure (mis)Configuration

3. It leveraged (natural) vulnerabilities from lack of Access and Identity Governance

What is Stuxnet

The initial target for Stuxnet was a Siemens Simatic industrial control system that controlled the operation of centrifuges used for uranium enrichment. It has been widely reported over the years that Iran’s Natanz nuclear facility was the target and that certain nation states spearheaded the effort to disrupt Iran’s nuclear program by carrying out this cyberattack. This particular attack did have an impact on the program at the time.

At the heart of Stuxnet was a SQL Injection attack that allowed changes in the Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows. Using stolen certificates, access to the control application made it possible to load a new reprogram into the PLCs ladder logic. The malware furthermore used a hard-coded database password. 

The commands now directed centrifuges to spin up really fast and then suddenly slow down to crawl. Doing this a few times in succession caused the spinning rotors to break – in essence disabling the entire fuel enrichment facility containing hundreds of these centrifuges. It’s hard to imagine all this was done via software.

The Colonial Pipeline Attack

Fast forward a decade and in the recent past we have seen the emergence of the Colonial Pipeline Attack, the Kaseya attack and many others. The Colonial Pipeline attack was the result of a compromised password present as a secret in code. This took down the largest downstream oil and gas pipeline in the U.S. and led to shortages across the East Coast. 

Organizations need to adopt technology that goes beyond solving for secrets in code. A more comprehensive solution addressing code related risks is needed.

Adopting a strategy for Software Supply Chain Security

The way software is developed has changed – with the constant need to accelerate the pace of software deployment, security for applications has become more complex as the use of open source software and code from third-party repositories becomes more prevalent. With this trend growing, developers are now taking a more defined role in the deployment of application security.

Vulnerabilities in code are contributing to it becoming the largest cyberattack surface. Software supply chains, which are no longer monolithic entities, are made up of several disparate software components from multiple sources. 

Things to Watch out for

  • Code resides in multiple Git repositories with no visibility into the chain of custody
  • Increased open source adoption
  • Teams are being advised to apply security early in the process
  • Attackers are exploiting secrets in code and launching crippling cyberattacks.

Three Key Questions to Ask 

  • How do you know where there is high risk content in your code?
  • Where does your code live and who has access?
  • Can you detect and identify misconfigurations in your infrastructure / repositories?

BluBracket provides the most effective code security solution to secure developer environments. Developers can identify and mitigate key risks across the entire CI/CD pipeline while maintaining speed and agility. 

A Reminder to Focus on Software Supply Chain Security
A comprehensive software supply chain strategy can include various best of breed application security solutions. The key is determining the risk from vulnerabilities present in code. Here are some steps that organizations can consider as they are building out a security strategy related to their software:

  • Define your organization’s overall risk strategy with links to enterprise risk OKRs
  • Map risk and security considerations to help prioritize software development activities
  • Promote security awareness for AppSec and Development team members with emphasis on secure software development, API Security, and DevSecOps practices.
  • Establish an understanding of risk-based security and how to track risk
  • Enforce security standards for sourced third party and open source software components 

For software supply chain risks specifically related to code development, the software development environment should include:

  • Static and Dynamic Code testing analysis of software under development and deployed through the CI/CD process
  • Software Composition Analysis to identify components that are internally developed versus third-party produced or open source
  • Steps to secure APIs and any integration points between software providers
  • Provisions for a software bill of materials (SBOM) to track direct and indirect references to software components
  • Adopt a risk-based code security platform to prioritize and address code risks in three key areas:
  1. Presence of high risk content in code (secrets in code, PII and non-inclusive language)
  2. Risks due to misconfigurations of Git repositories and infrastructure as code (IaC)
  3. Nonconformance with access and identity governance best practices

BluBracket delivers a solution to automate a risk-based approach to security

BluBracket is the most complete code security solution that enables developers to effectively identify and remediate risks within their software development environment across code repositories, infrastructure as code and cloud environments. With BluBracket, organizations can shift left by enabling developers to address security at the very start of the development lifecycle.

Download a free version of the leading code security platform

Share this post!