Advertisement

SolarWinds breach has industrial firms checking their networks for vulnerabilities

The Electricity Subsector Coordinating Council, a U.S. utility industry group, held a briefing on the SolarWinds compromise on Monday.
utilities infrastructure electrical industrial cybersecurity
(Getty Images)

Executives from multiple U.S. electric utilities on Monday convened a phone call to discuss a critical vulnerability in software made by SolarWinds, the federal contractor at the heart of an apparent cyber-espionage operation.

The briefing, hosted by an industry-government group known as the Electricity Subsector Coordinating Council, is just one example of the wide ripple effects of the malicious tampering of SolarWinds’ software by suspected state-sponsored hackers.

The SolarWinds compromise has reportedly led to the breaches of multiple U.S. federal agencies, including the departments of Treasury and Homeland Security. The affected software is widely used in the electricity, oil and gas and manufacturing sectors, and the process of assessing some organizations’ exposure to the bug has only just started.

“We have to make sure we’re breaking down some of these concepts so they understand the impact to them as critical infrastructure owners and operators,” said one U.S. official involved in SolarWinds briefings for the electricity industry, who spoke on the condition of anonymity.

Advertisement

Securing supply chains has long been a focus for many electric utilities and energy organizations. But the SolarWinds ordeal could be a learning experience for others in the sector, according to experts.

Robert M. Lee, CEO of industrial cybersecurity company Dragos, said many organizations that use industrial control systems — the computers that help control machinery — are waking up to the fact that SolarWinds software is integrated into these systems.

“This compromise means that there are numerous organizations with compromised versions of SolarWinds in their ICS networks,” Lee said. “Whether or not it’s accessible to the adversary depends on those companies’ architectures.” He said he was not aware of any case in which the attackers had access to ICS networks.

Some electric utilities use the SolarWinds software, known as Orion, within sensitive ICS networks that are subject to regulatory standards, according to Patrick C. Miller, a consultant at Archer Security Group with extensive electricity-sector experience.

Organizations that comply with North American grid regulations would likely detect attempts to infiltrate such control systems, he said. Nonetheless, that the vulnerability appears to be in the hands of a highly skilled attacker is something organizations should take seriously.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts