New rule could make power companies do a better job of keeping bad guys out of the system.
It’s a classic—the episode of the show Portlandia where a couple asks the waitress if the chicken they’re about to order is local.
Yes, the waitress says.
“The chicken is a heritage breed, woodland-raised chicken that’s been fed a diet of sheep’s milk, soy and hazelnuts,” she adds.
“Hazelnuts—these are local?” asks comedic actor Fred Armison’s character, before the couple views a dossier of the chicken’s background, then drives to the farm to meet with the people who raised “Colin.”
“He looks like a happy little guy who runs around,” Armison says.
This is funny, but also a snapshot of “supply chain”—the path a product takes before it arrives at the end of its journey.
The Portlandia couple’s dinner background check may seem over-exuberant, but some say close scrutiny of the supply chain is needed to keep cyber crooks out of America’s power grid—and keep your lights on.
“The stakes are rising,” said Dave Lewis, a cybersecurity professional and founder of Liquidmatrix Security Digest.
Power companies are meeting in Atlanta today to work out a new national rule on supply chain cybersecurity for utilities.
“You lose power, you can lose lives,” said James McQuiggan with Siemens, a company that provides automation products for power companies and other customers.
Fred Armison & Carrie Brownstein star as a couple that wants to know the history of the chicken they’re about to eat for dinner in the comedy show Portlandia. Photo credit: Peabody Awards via Foter.com / CC BY
Spies in the chips
Used to be the squeaky wheel was something that needed grease. Now, a squeaky wheel can be a car part or chip or line of code that secretly sends off info to criminals or spies from another country.
“Cars are a great example because you really have parts from all over hell’s half acre,” said Lewis. “You have all these pieces and it never occurs to people as to where it comes from. They just want to make sure it works.”
Now, someone at a factory can insert malware in those parts to do recon or even control what you do.
A cyber attacker can hack into the factory’s computers and taint the products without the factory’s knowledge.
Or a cyber sneak could buy up computer devices, slap on spyware, and return them to the factor for re-sale.
Spies can put malware in computer chips that go into products you buy, use or depend on. Photo credit: Skley via Foter.com / CC BY-ND
Already there
Researchers discovered last year that body cams for some police departments in the U.S. came with malware already installed, reported SC Magazine.
The Federal Energy Regulatory Commission warned power companies about “insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices” in its announcement about the need for a new supply chain security rule in July.
“It becomes a more serious issue given the production locations can also be hostile governmental locations, i.e.: China or Russia or other locations,” said Dave Foose with Emerson Automation Solutions.
On the way
Attacks can happen during shipping, not just in the factory, cybersecurity experts say.
A 2014 report said the U.S. National Security Agency routinely intercepted computer devices on their way overseas.
“They were caught taking Cisco equipment meant for the Middle East and the Asia areas,” said Foose. “They were unboxing them, capturing them before they go out as shipments, and unboxing them, putting in malicious firmware.”
The NSA implanted digital spy tools, sealed the boxes back up and sent them on their way to foreign countries, the report said. And other governments were likely doing the same with devices coming in to the U.S., according to the report.
A 2014 report said a U.S. spy agency intercepted packages containing computer devices & planted malware on the devices before re-sealing the boxes & sending them to their destination.
Time for updates
Say you get your device out of the box, you check it thoroughly for malware, then put it to use—in your house, or perhaps running a factory or a power grid.
You’re safe from supply chain sabotage, right?
No. You will need to update that device, just like you update your phone and computer.
You may have to go to the device-maker’s website to update. But cyber crooks can poison those updates or make a fake site that looks like the device-maker’s site.
Foose compared it to downloading a favorite game on your phone.
“You may think you’re getting Pokemon GO. But it may not be the Pokemon GO that’s made by the right company, and it may be malicious,” Foose said.
Watering hole
This strategy is called a watering hole attack.
“Someone had hacked the web site and put their own version of the software up there,” said Foose. “So it was a legitimate location with a legitimate piece of software that was backdoored without anybody knowing.”
An espionage group used the attack to target Japanese power companies in 2014, according to the cybersecurity company Cylance.
Malicious hackers pulled off a watering hole attack on a big industrial company dealing with aerospace and car manufacturing, said researchers at AlienVault.
Last year, the victim was a big aerospace company and its customers, reported Palo Alto networks.
Aerospace companies were the targets of supply attacks in 2014, according to reports.Photo credit: bisgovuk via Foter.com / CC BY-ND
“In a deep pile”
Many cyber crooks and spies will use supply chain attacks to gather information, either to steal knowledge or to plan for a future, more-damaging attack, experts say.
But there’s also the risk they could do more.
One example—a water/sewer company siege, perhaps like the one that happened in Queensland in 2000.
“I could possibly shut down your filtration system or dump sewage into a thoroughfare, stuff like that,” said Foose. “I could cause a controller to do really bad things—change the values on the pressure, and then you are literally in a deep pile at that point.”
Supply chain attackers could try to knock out power, said Lewis and McQuiggan.
“You experience power failure, you could have hospitals lose power,” said McQuiggan.
“You have the potential of having an incident really roll out to multiple days, and then you’re affecting not only power, you’re affecting heat, you’re affecting water,” said Lewis.
Attackers who secretly control industrial equipment could cause a sewage spill, according to cybersecurity experts.Photo credit: armigeress via Foter.com / CC BY
Trojan horses
Keeping the supply chain secure isn’t easy. And now the utilities have to create a national standard, so all of the grid is on the same—and hopefully more secure—page.
It may be a good idea for everyone to pay more attention to supply chain security, not just utilities.
Computer chips can serve as Trojan horses, covertly bringing the enemy into devices in healthcare, public infrastructure, banks, military and government, according to a report in Help Net Security.
Researchers are trying to find ways to fight this problem. The NYU Tandon School of Engineering is working to create chips that can check themselves for funky code, the report said.
At home
You may run into this problem in your own home.
This spring, a researcher reported someone had implanted a connection to malware on home security cameras he purchased online.
“It’s important for people to be aware where their products are coming from,” said McQuiggan. “You don’t know where it’s been.”
“Use trusted sources as best you can. Get it from trusted people,” advised Foose. “Buying it off of eBay, even though it’s cheaper—it may be additional risk.”
“That’s where you’re going when you do these third-party unknown, unverified resources,” he added. “If something bad does happen, how do you go back and get it fixed?”
You may not need to visit the farm where your chicken dinner was raised, but you can pay more attention to what you’re buying, and from where.
“These are the things that we never really had to think about before,” said Lewis. “Because we hadn’t put Bluetooth or Internet access to everything that was out there. It’s like, ‘Why does your toaster need to be Internet-connected?’”