Cybersecurity researcher Ang Cui did his PhD dissertation at Columbia University on embedded system cybersecurity and founded Red Balloon Security subsequently after graduating. He’s extremely worried about the SolarWinds attack.
“SolarWinds is probably one of the largest compromises of national security,” he said in an interview.
“Because this is a piece of software that has root passwords and maintains not your computer – SolarWinds doesn’t touch that – it maintains every aspect of the embedded devices that make up the network,” he said. That’s pretty much everything else: Your firewall, your phone on your desk, “everything that’s not a windows computer, SolarWinds has root passwords to and manages that,” he said.
Once the attackers have access to root passwords, Cui said that then they can they start doing real damage.
“It means that all of a sudden, they can change the firmware on every single thing that literally makes up all of your IT or communication infrastructure,” he said.
Cui also said he sees the SolarWinds attack as an orchestrated one. First there is reconnaissance, then they sit and wait until the time is right to execute an offensive. And having that piece of malware sitting in a place like a firewall or the fault protection relay in a substation makes it much harder to detect, said Cui.
“There’s a lot of security monitoring in Windows machines and there’s none of that in any of these embedded devices,” he said, adding. “So, yeah, I think there is a pretty obvious reason for why the attacker chose something like SolarWinds…because SolarWinds controls embedded devices and that is clearly I think what the goal of this attack was.”
Cui added that his company has done research on devices across all different industries, from industrial controls, defense, consumer, “you name it,” said Cui. He said that the security posture of the power sector is very lacking because the firmware that runs these devices “being generous is about 1995-2005.”
So now what?
Some cybersecurity experts that we spoke with for this article said once the attackers are inside your systems, it’s too late. The best form of defense is to never let them get in there in the first place, they said.
Cui agrees that keeping them out is, of course, the best-case scenario but in light of the situation many utilities are now facing he asks, “what’s the alternative, just give up?”
“Sure, I mean, if you if you have SolarWinds, chances are, yeah they got you,” he said. But what you need to do now is figure out how to protect those embedded devices, which are the targets of the attack, he believes.
While it may be difficult to protect devices, it isn’t impossible.
“Try to get some security features installed on an unknown embedded operating system that nobody’s ever seen the source code to, he said, adding that this is the very reason he wrote his dissertation. But the idea itself is pretty simple according to Cui. “You want to be inside the device that you want to secure. And that’s what Symbiote allows our customers to do,” he said.
Finally, Cui reminds the industry that this is just one more attack in a long string. “We’ve been at this since WWI,” he said.
“After SolarWinds there’s going to be another thing and this is going to be an endless stream of these types of vulnerabilities that will never go away,” he said.
Cybersecuring the grid is an educational track at DISTRIBUTECH International 2022, set for January 26-28, 2022 in Dallas, Texas. We’re accepting speaking ideas now. If you have an idea for a talk that you or someone you know could give that could help the industry defend itself against cyberattacks, please submit it now. Here’s the link.