By Steve Wood, Sector Lead – Industrials at BlueFort Security & Simon Giddings, Industry Lead RSM at Opswat
The recent surge in oil prices amid rising tensions and conflict in the Middle East is yet another reminder of the volatility of global supply chains. Our interconnected supply-chain networks mean that any amount of disruption can have immediate and far-reaching consequences for businesses and consumers alike.
These networks have been repeatedly tested over the past few years, with geopolitical tension, trade disruption, extreme weather, and a pandemic pushing supply chains to the limit and exposing vulnerabilities on a worldwide scale. This has both underscored the fragility of global supply chains, and highlighted the urgent need for more resilient, adaptive systems.
The digital supply chain risk
Despite these more ‘traditional’ scenarios presenting a testing few years for global supply chains, what has become clear in recent years is that physical disruptions pale in comparison to the growing risks associated with digital infrastructure and technology-driven disruption.
Technology platforms have emerged as both an enabler, and a source of supply-chain disruption. In June 2021, by releasing an update with an undiscovered software bug that was then triggered by a customer making a valid change to their Content Delivery Network (CDN) configuration, CDN provider Fastly inadvertently triggered a major online outage that caused disruption across everything from Amazon and Reddit, to the UK Government website. While the majority of Fastly’s global network was operating as normal in less than an hour, the incident demonstrated that even in the absence of a malicious element, technology-based supply-chain disruption has the potential to be extensive.
It comes as no surprise then that supply-chain cyber attacks represent a growing risk to organisations globally, with threats ranging from sophisticated state-sponsored campaigns to more opportunistic attacks conducted by criminal groups and individual ‘hacktivists’.
One of the most infamous state-sponsored supply-chain attacks compromised more than 18,000 SolarWinds customers via a malicious software update, injecting malicious code into thousands of high-profile businesses and public sector organisations with just a single product update.
From digital risk to physical impact
As supply-chain cyber attacks become increasingly common, what is emerging is the dangerous potential for supply-chain attacks targeting critical national infrastructure (CNI) to put lives at risk.
It’s now reported that the Synnovis breach in June 2024 – a third-party supply-chain attack that caused significant disruption to frontline care across South East London – resulted in at least two patients suffering long-term or permanent damage to their health, which the NHS defines as likely to result in reduced life expectancy. There were many more cases of either moderate or less serious harm to individuals.
The lessons from Synnovis are clear – digital attacks can have real-world health consequences, and there is a human cost to digital vulnerabilities. Incidents like this may only be a precursor to a more dangerous wave of supply-chain attacks targeting operational technology (OT) environments.
It is not overstating the point to say that malicious disruption in these environments has the potential to be catastrophic. Take the attack on the water treatment system in the city of Oldsmar, Florida, where an attacker infiltrated the facility’s environment, and attempted to remotely increase the amount of sodium hydroxide – which is used in small doses to control acidity – being added to the city’s water supply. The attacker attempted to increase the level of sodium hydroxide, the main ingredient in liquid drain cleaner, from 100 to 11,100 parts per million. When you consider that the attack occurred around 15 miles from where the Super Bowl was scheduled to take place two days later, you can begin to imagine the resulting consequences, had the attack been successful.
Converging risks
The attack on the Oldsmar facility was not an isolated incident of cyber threat actors attempting to poison local water supplies remotely. Nor was it the most high-profile cyberattack on an OT environment (which is likely to be the attack on the US Colonial Pipeline in 2021). But the incident does illustrate the very real-world health consequences a successful OT environment cyberattack has the potential to cause.
In early 2024, the NCSC issued a warning in conjunction with international partners that ‘a new class of Russian cyber adversary’ had emerged and was targeting vulnerable, small-scale industrial control systems in the US and Europe. With a heightened threat from state-aligned threat actors targeting OT operators, the NCSC has issued mitigation advice to help operators improve defences.
While it may sound alarming, unless OT operators take decisive action now, we are likely to see successful attacks becoming more frequent. The simple reason for this is the convergence and increasing connectivity between IT and OT systems. Organisations that manage OT infrastructure are increasingly leveraging IT-based telemetry and reporting to generate better data from their OT environments – much in the same way organisations in other sectors are. While this is not a problem itself, it does now provide a key link between the two traditionally separate areas of infrastructure, opening OT environments up to a vast range of threats they were historically protected from by default.
In the past, OT systems would have been air gapped – physically separated – from IT environments. Now, with IT-based telemetry and other systems allowing data to flow both ways, what was previously built for safety and isolation is now exposed. On top of that, as many of the ‘legacy’ OT systems in question were not designed with cybersecurity in mind, they don’t support modern tools and techniques such running agents, and so require a different approach to protection.
“What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between, on the one hand, the threat and our exposure to it, and on the other, the defences that are in place to protect us.”
In response to these challenges, the regulatory environment is shifting away from ‘tick box’ or prescriptive requirements, towards ensuring organisations are continuously monitoring and closing security gaps. Regulations such as the Network and Information Systems Regulation (NIS), underpinned by the Cyber Assessment Framework (CAF), NIS2, and the upcoming Cyber Security and Resilience Bill, all apply to organisations operating in CNI. They focus on extending controls to OT environments and increasing supply-chain security, as well as putting the onus on OT operators to ensure they both understand and mitigate against these risks.
OT supply-chain vulnerabilities
OT operators now face many of the same challenges in managing supply chain vulnerabilities as their counterparts in traditional IT environments. For the operators I speak to, a growing area of concern is the risk introduced through third-party files, which often originate from external vendors, manufacturers, partners, or contractors.
Common entry points such as USB drives, portable scanning devices, external documents, and software updates, all represent a significant but frequently overlooked threat vector. Even floppy disk drives, which are still used in some OT environments, have the potential to carry hidden malware or other forms of compromise.
These risks are particularly acute in OT settings, where the consequences of disruption can be severe and immediate. While an element of security assurance is expected from the third-party to ensure they have put reasonable protections in place before accessing the OT environment, addressing potential vulnerabilities at the perimeter is essential for OT operators. With the evolving regulatory landscape placing far more onus on operators mitigating risk in their environment, most require a comprehensive strategy to ensure that all incoming files are thoroughly validated, sanitised, and verified as safe before they interact with critical operational systems.
Protecting against threats in OT environment
The latest BlueFort Security webinar looked in detail at how OT operators can build a comprehensive strategy to uncover and close gaps in OT environments, and mitigate the risk of threats introduced by third-party files.
At BlueFort, we work with a select group of carefully vetted vendors, to ensure our customers have access to the tools and expertise needed to effectively deploy emerging technology solutions that solve the problems they are facing. OPSWAT is a leader in critical infrastructure technology, and is trusted by more than 1,700 organisations worldwide to protect their critical data, assets, and networks from device and file-borne threats.
We explored OPSWAT’s advanced threat prevention platform, MetaDefender, which layers an array of market-leading technologies like Deep Content Disarm and Reconstruction (CDR) to help operators remove threats from any file that could be infected, or attempting to exploit a vulnerability to compromise a network.
