What You Need To Know About The China Chip Hack and ICS
Author: Mission Secure, Inc
Bloomberg: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies: What you need to know:
When the cybersecurity industry learns a tiny microchip, no bigger than a grain of rice, has been quietly living hidden inside the hardware systems of America’s top organizations and a number of military and defense infrastructures, the worst is feared. While supply chain compromises are nothing new, they have garnered far less attention than higher profile cyber-attacks via malware, zero-day exploits and advanced persistent threats. This hardware hack may go down as one of the most prolific acts in modern times to circumvent robust IT cyber security and infiltrate some of America’s top organizations.
While initial reports left the cybersecurity community saying “I told you so,” a follow-on article posted by The Hacker News: Chinese Spying Chips Found Hidden On Server Used By US Companies, does not change the fact most companies remain unprepared for supply chain attacks. Amazon and Apple have the most sophisticated supply chain vendor verification programs in the world. If it can happen to them, it can happen to any organization.
While this reported attack placed tiny microchips on motherboards during manufacturing that subsequently went into high-performance servers and found their way into data centers, it could have just as easily been directed at computer boards inside industrial controllers manufactured all over the world and subsequently installed to run critical industrial processes on everything from ships to offshore platforms, to refineries and more. A successful supply chain attack on industrial control equipment could have enormous negative impacts, be they hardware, firmware or software. This was witnessed years ago with Stuxnet which involved, in part, a supply chain hardware compromise on Siemens controllers.
MSi has received credible reports from an Energy Sector company that installed new PLC’s only to have malware “wake up” a year and half after installation.
This particular hardware attack did two things: (i) provided a phone home function from the infected server to an off-site location to establish remote access for command and control capability; and (ii) modified the logic on the host server that would enable the remote actor to take control of the server and have access to all the information on it, as well as use this as a pivot point to gain access to other equipment.
MSi would prevent this type of attack from having an impact on the industrial control environment even if the controller came pre-loaded with the rogue microchip. An MSi 1, through egress monitoring capabilities, would detect a controller trying to “phone home” to an unauthorized location and block the attempt, severing any attempt to establish a command and control capability. An operator would also be notified. Further, any unauthorized inbound attempt to the controller would also be blocked and notification provided. The MSi Sentinel would also immediately detect any discrepancy between what the controller reports back to the operator, be it a false state of the process, and what is actually happening at the underlying process. With MSi, your organization would be shielded from the impact of supply chain attacks.
“There is no Boogeyman. The sky is not falling. What this is... is the power, reach and persistence of a nation-state effort… and it is awe inspiring and thought provoking. Likely the Bloomberg story is accurate, and the nation state has been executing a long-term, ultra-sophisticated exploitation of the U.S. defense industry, intelligence community, and across various IT-based industries. This is the power and persistence of a nation-state level effort. This is why security practitioners differentiate nation-state capabilities from everything else - organized crime, industrial espionage, recreational hackers.” Said Brian Stites, Vice President of Defense and Critical Infrastructure at Mission Secure, a former executive staff member at U.S. Cyber Command and former Navy Cryptologic Officer.
“Supply chain attacks are real. From Mission Secure’s earliest research protecting military UAVs from compromised chips in the supply chain to credible reports of supply-chain based PLC firmware compromise in the Energy Sector, we have engineered technical solutions to address security issues that include supply chain attacks against critical infrastructure and defense systems. Regardless of the depth and veracity of these particular claims, we stand ready,” says Paul Robertson, Director of Cyber Security at Mission Secure and longtime cyber security expert dating back to the White House.
MSi will continue to monitor this investigation and stands ready to help protect our customers and partners against advanced persistent threat cyber-attacks, supply chain interdictions and insider threats. Contact us to learn more.