Home » Cyber » Cyber Security Center » Cyber Attacks on Supply Chain Systems

Cyber Attacks on Supply Chain Systems

by Ward Carroll on April 15, 2009

space-chain.jpg

Recently I was asked to give a presentation to a large defense contractor working on the issues surrounding cyber warfare. After my presentation, we had a roundtable discussion and the talk quickly focused on the topic of cyber countermeasures to protect supply chain systems. This is one of the areas that deserve a lot more attention than it has been given to date.

A cyber countermeasure is defined as an action, process, technology, device, or system that serves to prevent or mitigate the effects of a cyber attack against a computer, server, network or associated device. To put this into context it is a potential threat or actual aggressive action or event that is malicious in nature and one that can compromise the integrity of digital assets of an organization.

We typically think of cyber countermeasures as firewalls, anti-virus, anti-spyware, anti-malware, anti-adware and so forth. Advances and some recent cyber attacks require a more aggressive posture when it comes to cyber countermeasures. In the last several months a new and much more malicious style of attack has emerged. This style attack does not steal or delete data nor does it compromise or disrupt computer or network operations. Its mission is much more sinister.

The attack modality changes data stored on, processed by a system or communicated via a network. Consider this — what if instead of stealing passwords, they change them? The disruption on high volume transaction systems operations when the users cannot get on would be substantial. That being said, this attack modality can have much more significant implications.

Consider an attack against a Supply-Chain Management (SCM) system. When you look at supply chain system their function is core to operations at the majority of organizations in the public and private sector. When we ran this through our Scenario-Based Intelligence Analysis discovery process we identified the following major impacts (partial list).

Top Three Military Impacts:

  • Operational disruption due to inventory outages
  • Mission delays due to perceived shortages of critical inventory items
  • Substitution of an approved vendor with a covertly hostile supplier of compromised products

Top Three Business Impacts:

  • Overstating or understating inventory values on the balance sheet
  • Increased out-of-stock conditions thus impacting customer service and loyalty
  • Expending cash on inventory that is already in an overstock condition

The supply-chain example is not the most damaging. How about an attack on a hospital system that changes medication dosage levels? That could actually kill people. When you start to really think about this style cyber assault, you want to ask the question — what would we do if we could not rely on the information on computer screens?

The military as well as the public and private sectors are increasingly dependent on electronic systems. At the same time, the vulnerability of these systems to attack from malicious individuals or groups is growing. We have to conclude that companies should consider increasing security and monitoring of SCM systems to ensure the integrity of the information we rely on.

The United States is the most computerized country in the world. That is what makes cyber warfare and cyber terrorism so concerning. When you add the fact that most of our security professionals’ egos make them believe their systems can’t be compromised because they are better and know more than everyone else and that seems to be pervasive in that discipline, the risk becomes extreme.

Kevin Coleman

Share |

{ 15 comments… read them below or add one }

CR April 15, 2009 at 5:04 pm

It’s unfortunate that most people don’t see just how vulnerable we are to this type of attack/exploitation. It also blurs the line between what constitutes a real ‘act of war’.
In a sense this is the truest form of Manuver Warfare as it’s consequences can produce what is termed ‘dislocation’.
Suppose for instance you have two units from two differing sides that mean to contest a single objective. If side B compromises the network and supply system of side A and thus the unit from side A is not operationally available, side B takes the objective without ever having fired a shot.
Prepare…this type warfare is here….

Reply

Ptsfp April 15, 2009 at 8:11 pm

Isn’t this in a way what was done to the Iraqi Command and Control during our invasion? I heard that we owned their radar/ computer systems and that we could add targets and remove them from their military tracking systems pretty much at will. We hid the fact that we were working in a certain area and made it look like we were massed in another. Pretty effective.
Also, on the business side, with most companies now running a “zero” or “just in time” inventory system, production could really be impacted. This could effectively shut down manufacturing which relies heavily on certain parts arriving at the right time and in the correct order.

Reply

Oblat April 16, 2009 at 5:21 am

The Coming White-Goods Attack.
The large number of American white goods are manufactured in China, leaving the American mainland wide open to attack by cyber-white-goods attack. This is a frightening new development that has been raising high levels of anxiety in
the unnamed pentagon staffers I’ve been schmoozing.
Gone are the days of the mechanical relay sequencer many of the doubters will be familiar with.
Modern white-goods are all computer controlled, often with processors running at clock speeds higher than the original PC. As the treat technology increases so too must prudent countermeasures.
Hours of role playing with a select group of paranoid schizophrenics at my local clinic has revealed a frightening number of possibilities.
1) Tumble dryers once activated could be programmed to never switch off. The “run away dryer” scenario is considered a leading threat by the group. It forces owners to risk life and limb trying to pluck their spinning clothes from the red hot drums. The cost to the US economy in time wasted getting dressed alone is conservatively estimated to be
approximately in the ball park of billions of dollars.
2) Dishwasher kill switches could be used to disable dishwashers on a random basis nationwide. Leading to a sanitation and public health breakdown. The spread of cholera and typhoid alone would kill 200,000 people in the first 6 weeks and the reek would be horrible.
3) Washing machines could even be programmed to give electric shocks to American mothers – killing them dead. A number of participants testified that they were certain that their washers were already infected with viruses as they never seemed to be able to get a simple wash-rinse-spin cycle out of the things. One participant said his machine refused to do anything but spin cycle, and another that he couldn

Reply

The Cenobyte April 16, 2009 at 9:48 am

I am sure you are sick of hearing me say this, but as long as I keep seeing crap like this I am going to keep saying it. Cyber security is not something you can just break for a wide spread group of systems all at once. Hacking into a cyber system is a slow and labor intensive process and once you are in you are only in one system. Often locked down from other system in the same company/group/agency (Requiring you to start all over again if the first system was not your target just your gateway). After you have completed that you then have the issue that your hack is only good for a limited time, could be only 10min but will likely last less than a year. Now that you are in the kinds of problems you can cause in most systems are really nothing more than a financial inconvenience and more or less easy to recover once it is known there is an issue. So to cause a big problem you just have to do that a few thousands more times before anyone notices or patches the issues you are exploiting.
Let me put it another way, what they are suggesting above is that group X could put 7-11 out of business if they just set about stealing their supply trucks. They would have to steal thousands of trucks before 7-11 had an issue at all taking hundreds of thousands of man hours in execution alone and I would suggest that while 7-11 would have a bad week, they would be fine by the next one. (There are about 6500 7-11s in the US, with deliveries almost daily)
Don’t get me wrong here, cyber-security is important, but most of you guys sound like Homeland security and the TSA when you talk. It’s crap, the only difference is that when the TSA says bringing 3.5 oz of soda on a plane is dangerous we all know it’s crap, but when someone says that cyber security sky is falling most people don’t know enough to call BS.

Reply

Cyberdude April 16, 2009 at 10:47 am

I agree with Cenobyte. If systems were so integrated as to make this sort of thing a true concern, the manufacturing world would run so much smoother and we wouldn’t be losing ground to China and others. Truth is, corporate supply chain systems are almost always a conglomeration of hodge-podge sub-systems, implemented at different times and various levels of integration, making a wholesale hacking of them difficult. Not because they’re well-designed or well-protected, but because they often don’t talk to each other directly or even at all. I’ve made a living out of trying to get information out of various systems and collating it together into something that management can use to make decisions. If I wanted to disrupt a company’s systems, I’d launch a more traditional attack to deny them access to public networks, or annoy the piss out of them and force them to spend money cleaning up viruses and such. But, to break in covertly and somehow *alter* their data so as to compromise their ability to deliver? I just don’t think corporate America has spent enough money modernizing their systems to that level of integration. Widget makers make widgets, and often view computers as a necessary evil to help them make widgets faster and cheaper. Rarely do they invest the kind of money necessary so that every system talks to every other system like it really should. And if all those computers go down, they’ll still make widgets and get them on the truck, because they learned how to do that long before they ever had a computer.
That said, Oblat makes me wanns go unplug my dryer.

Reply

Fred April 16, 2009 at 11:06 am

I have to say you many of you need to update your data. Major corporations ARE fully integrated with their suppliers and have been for years. One $68 billion company is integrated back thru vendors to the component producer. One $20 billion utility is integrated thru to the point where the product supplier/producer can access their products to conduct maintenance and troubleshoot. Is this the case across the board NO. But there is a huge community of large corporations and organizations that are fully integrated with their top suppliers. It would be nice if the posters on here would update their knowledge before they spout off and post outdated data!

Reply

The Cenobyte April 16, 2009 at 12:09 pm

Fred, I hate to tell you but the term integration doesn’t mean crap. It’s a corp. buzz word used only to mean that they have a system for making two systems talk to each other. As often as not this ‘system’ used for integration still requires huge amount of manual intervention. When it does not it’s because someone somewhere wrote a third bit of software that makes info from one system, translates it and then pushes it to another because the two systems they are ‘integrating’ don’t know how to speak to each other, hell they were likely built to be used by a person not another machine at all. (You would be shocked at home many banking transactions in the world are completed by a PC running a bit of screen scraping software against a mainframe emulator, parsed by custom in house built filters and dumped into a DB somewhere).
But let

Reply

FRED April 16, 2009 at 12:36 pm

Cenobyte GET A CLUE!!! I am a consultant that worked on those systems and know how tightly integrated that are. You people think you know it all and you are not in the game or even in the arena.

Reply

The Cenobyte April 16, 2009 at 2:06 pm

Well crap Fred thanks for opening my eyes. I guess I should quit VP job here at this tiny little bank (third largest in US), turn down all my future network security seminars and consulting gigs and go dig myself a hole somewhere to live in cause obviously I don’t know what I am talking about. I mean with great arguments like ‘Get a clue’ how could I ever even look at myself in the mirror again.
Fred let me guess, you are an IT security consultant for a mid to large size firm that makes all its money from selling services and systems to protect the world from this up and coming threat. You spend most of you days trying to convince guys just like me that we need your new multi-million dollar gizmo that will protect us from the terrorist on the internet.
I understand that important for guys like that to make a living and fear is your huge selling point. But just because you want it to be true doesn’t make it true.

Reply

The Cenobyte April 16, 2009 at 2:17 pm

Peter, you my friend have picked up on the only thing that could be an issue in this ‘report’. Thankfully the military logistics system isn’t even that close to integrated and supply personal at the company level still keep paper records (Although from my experience not as well as they used too), I can’t tell you about above that. Add to it that you would need a physical connection to the SAP and I think you have come up with a fairly difficult assignment. First you have to get to a place where there is a physical connection (I don’t know the newish DOD supply chain software works so don’t quote me on this) and then you have to get past the basic network security. (ID cards are required to connect to most systems via encryption making man in the middle attacks very difficult).
If the govt wanted to spend more money on security for their systems, I am all for it. I just find it difficult to believe that much more than what is already being spent needs to be spent for private enterprise. If so no other reason that cost of implementation is way higher than being compromised.

Reply

Fred April 16, 2009 at 5:39 pm

Cenobyte
Well You my friend struck out!!!
I am not a security consultant. I work as a consultant in Supply Chain! The government should not spend more they should spend smarter!!! I think a call to DLA will prove you are way wrong about the level of integration and how far along they are moving to paperless. Yes DLA is a client as well. In total we have consulted to organization with supply chain spend totaling nearly $100 billion annually. In addition, your comment about a direct connection to SAP clearly shows you are misinformed about the current state of system compromise.
You really need to come up-to-speed before you make the comments you made.

Reply

nash April 16, 2009 at 6:30 pm

Fred

Reply

Ptsfp April 16, 2009 at 10:16 pm

Yeah, the arrogance of large system server guys is brain numbing.
The arrogance is like the politicians who are pro gun control, when they live in large cities with a complete security system in their home, armed body guards, and where police are just 30 seconds away if something happens. They just can’t understand why the average Joe who lives out in the country, 30 minutes away from police would want a gun for home protection.
There are so many holes in a network that it is very hard to close them all. Just pick up a server 2003 how-to book, it has more pages than a Bible, and fewer pictures too.
As I have said before, security guys usually secure systems with check lists, group policies and auto patching software. They are very linear thinkers, if the box has been checked, rarely do they go back and double check it. Hackers on the other hand think out of the box.
As the size of the network grows, so do the holes. Also, I have seen lazy admins use simple administrator passwords in a secure corporate facility. Penetration testers rapidly took over several boxes because people used “password” or “P@ssw0rd” as the admin password.
Our arrogance is our biggest downfall…

Reply

Oblat April 17, 2009 at 7:22 am

Now the sharks are just searching for new markets to peddle their fear, because
the utility industry is just laughing at them. So it’s on to supply chain management.
The reality is that people aren’t dying, money isn’t vanishing and wars aren’t being lost because
of cyber anything. Where are the facts on the damage being done ? Lets see a single death, a
single bank taken down by cyber attack a single battle lost due to cyber attack.
There are none – because this is just trying to create a market using fear uncertainty and doubt.
It’s the oldest scam in the consultants book it’s just that now the snake oil salesmen are trying to
wrap it up as a national security issue. That the DoD gives air time to these people just shows how
rotten the system is
Meanwhile ordinary credit card fraud is going through the roof, but hey you don’t want to fix that problem
thats a real problem that requires real solutions. Snake oil dosent work on real problems.

Reply

The Cenobyte April 17, 2009 at 8:11 am

Ptsfp is the only guy here that really hit the nail on the head with security issues. Most security issues are internal. Either employees hacking or giving information to those that will (either via social eng or with knowledge what they are doing is wrong). I am not going to say that the company I work for never has issues, it’s just that as far as we can tell none of our network security issues have ever come from the outside. Remember that the only server completely safe from network attacks is the one you left unplugged.
Now if what you are saying is the the rest of the world is not spending the time and money on security and I have my head in a hole with my ‘huge’ budget then let me applogize (I have been here a very long time), but I can tell you from my point of view, the people we work with, the companies we have merged with have always been pretty good about security.
As to the company I work for, we made money last year, and will make money again this year, and as much as I would like to take credit for that, I keep the NOC and DMZ secure not run the bank.

Reply

Leave a Comment

Previous post:

Next post: