February 12, 2021

By: Jacob Chapman, Director, Industrial IT and Cybersecurity at Grantek

Operational teams running industrial systems rely on remote access devices to do their jobs and rarely think about the non-technical and non-commercial considerations when buying. But recent history is telling us that where the device – and even components within the device – come from matters much more than we recognize.

Supply Chain Attacks are Serious
A supply chain attack is a category of cybersecurity attack where access is gained by targeting upstream elements in the supply chain. A layperson purchasing a device – perhaps to commission a piece of equipment over the weekend – may think that risk isn’t significant enough to influence the buying decision. But it is; supply chain attacks are extremely popular for attackers because, by infiltrating one supplier, they can gain access to many end-users. For example, stuxnet was an effective supply chain attack that targeted PLCs used in a uranium enrichment program. NotPetya, which caused an estimated $10 billion to organizations including Merck and Saint-Gobain, was distributed through tax preparation software. Most recently SunBurst gave back-door access to up to 18,000 organizations and was distributed through SolarWinds software. This has occurred many times, and will continue because of the payoff for the attacker.

Supply Chain Attack to ICS Through Remote Access Devices
The idea of a supply chain attack targeting ICS through a remote access device isn’t just theoretical – it has happened before.  In 2014, Dragonfly malware infected many organizations and was distributed through The eWon Company’s Talk2Me application setup packages, which is software used to provide VPN access to ICS equipment. The SANS Institute provided a paper on the attack and its impacts which you can read here.

Considerations Before Buying
So going back to the layman purchasing a device so they can commission some equipment, what should they do?

In situations where you aren’t – and can’t be – an expert, it’s wise to look at what experts are doing and in the case of security, the U.S. Department of Defense. They plainly prohibit purchasing and use of devices, or contracting with providers who use devices, from certain foreign manufacturers because of risks in the supply chain. One DoD memo from July 2020 outlining this practice can be publicly viewed here. A named company of significance is Huawei Technologies Company (and its subsidiaries and affiliates) because of the broad use of their chips, including in remote access devices such as Tosibox.

So one take-away for the layman here may be to buy domestic whenever possible.  It should be noted that buying domestically-manufactured products, and products that were designed with deep layers of security, is not done easily and usually requires a pricing premium, but is undoubtedly worth the cost to the user – especially for remote access to industrial systems.

 

About the Author
Jacob Chapman has more than seven years of automation engineering, project management, account management, industrial networking, and ICS cybersecurity expertise within the food and beverage, pharmaceutical, and energy generation sectors, among others. Jacob currently leads the industrial IT and cybersecurity solutions and services at Grantek, which help manufacturers develop their facility infrastructures, including their industrial network architectures, local and cloud computing systems, and cybersecurity programs.

As Grantek’s leader in the space, Jacob maintains involvement and leadership positions in international societies and standard bodies – including the Cybersecurity Committee Chair of ISA’s Smart Manufacturing & IIoT Division, a Registered U.S. Expert to TC65 of the IEC, and a member of the ISA99 standards development committee.

Jacob Chapman
Director, Industrial IT and Cybersecurity
Grantek
484.951.1959 cell
866.936.9509 ext. 405
jacob.chapman@grantek.com