SolarWinds, the SEC, and Securing Your OT Space
In 2020, a cybersecurity firm called FireEye reported the discovery of a sophisticated, highly targeted cyber-intrusion. They detected a backdoor in SolarWinds Orion software, which, when the software was installed on thousands of servers by way of a routine patch, gave threat actors access to the sensitive files and data of US government agencies, private enterprises, and publicly traded companies.
The SolarWinds attack, primarily assaulting companies in the IT space, raised concerns about the impact this type of incident could have if it leaped the OT networks of essential services and critical infrastructure. After all, the air gap that used to exist between the IT and OT worlds has eroded, leaving a risky pathway that is still not fully understood.
Four years later, SolarWinds is back in the news. The Security and Exchange Commission (SEC) filed charges against the company and its CISO, claiming that they defrauded their investors and customers by concealing the company’s poor cybersecurity practices that enabled the breach. The case is still being tried, but if the SEC is successful, fallout from SolarWinds could once again reach beyond the realm of IT and leech into the OT world.
The case against SolarWinds is the second time that formal charges have been brought stemming from a company’s failure to secure its own network. In 2022, a US Federal court found Joseph Sullivan, the Chief Security Officer of Uber, guilty of covering up a data breach and obstructing the Federal Trade Commission (FTC).
A New Era of Cybersecurity Accountability
The two cases are fundamentally different. In the case of Uber, a security executive lied to regulators about a breach, while SolarWinds is being accused of defrauding their investors. Yet, in both cases a branch of the United States federal government is targeting the security executive in charge, and each case demonstrates the government’s desire for accountability.
On the surface, it’s easy for OT companies to scroll past these stories. Uber is a transportation company that doesn’t own a single car, while SolarWinds is a software company. They are nothing like the factories and plants that build or produce automobiles, electricity, or refrigerators. Despite this fundamental difference, OT businesses that ignore these stories are doing themselves a disservice.
These cases are serving notice to executives in all companies (especially publicly traded companies) that the victims are accountable for attacks that they should have seen coming and prevented. It isn’t just prevention and detection capabilities that are on trial in the ongoing SolarWinds case; the decision-making that led to the breach is now under fire.
Companies have long been at risk of government fines and consumer lawsuits following data breaches. These cases up the ante, by introducing criminal elements that could result in jail time. The message embedded in these lawsuits is simple. Businesses that fail to institute effective cybersecurity controls do so at their peril.
OT Operators Absolutely Must Take Notice
OT operators have a notoriously low maturity compared to their IT counterparts when it comes to cybersecurity. Industrial facilities are often old, using decades-old legacy equipment that wasn’t designed with cybersecurity in mind alongside modern IIoT devices. The complexity of these environments, managed by individuals who prioritize operational stability and production over risk, has fostered an attitude of complacency that requires significant cultural change – supported by investment – to overcome.
A company with 20 factories that were built over the past 40 years and spread across 15 different states is burdened with generations of incompatible technology. Many understand that they should phase out archaic operating systems, apply patches to the more modern OS and applications, and segment their network, but the costs are far too high. The perceived risk of damage caused by a serious cyber attack has many operators believing that it costs less to do nothing now and deal with any fallout later.
The steps taken by the SEC and FTC should put those arguments to bed. The United States is suddenly displaying a high expectation of cyber resilience. Any OT company that chooses to ignore cyber risk to its operations – especially critical infrastructure – may find itself running afoul of an angry government, and forced to sit on the defendant side in a federal courtroom.
Investing more in cybersecurity is imperative for companies to protect themselves from potential legal consequences. This entails reinforcing both reactive security measures, such as threat detection and incident response, and proactive security measures, such as robust risk management. Additionally, companies cannot make do with one-shot solutions. They must focus on continuous efforts to align with established standards like IEC 62443, ensuring that their cybersecurity practices evolve to meet dynamic industry standards and regulatory compliance requirements.
By prioritizing cybersecurity investments, OT companies not only enhance their ability to respond effectively to threats, but also demonstrate a commitment to proactive risk mitigation. Strengthening both reactive and proactive security measures will contribute to a comprehensive and effective cybersecurity strategy that not only safeguards against legal ramifications but also builds resilience in the face of evolving cyber threats and regulatory landscapes.
Related
