AI and supply chain visibility key to mitigating OT security threats

The relentless cyber attacks against critical information infrastructure (CII) such as utilities, transportation and manufacturing are showing no signs of abating. Threat actors and adversaries have discovered that the operational technology (OT) underpinning these critical resources are vulnerable to cyber threats.

They've also discovered that a successful attack can be devastating to a country’s citizens and cause political and economic uncertainty. The ransomware attack on the Colonial Pipeline in 2021 resulted in cancelled flights and millions of Americans unable to purchase fuel for their automobiles. The attack against the Ukrainian power grid in 2016 had also left 700,000 people without power in the middle of winter. 

Singapore is not immune to these threats. As a country dependent on highly connected technologies to maintain its water, energy, transportation, petrochemical and manufacturing capabilities, combined with the evolving transboundary cyber threat landscape, Singapore is seen as a potential target. The attackers’ motivation might be political, as was the case in the attacks on the Ukrainian power grid, or purely financial, as was the Colonial Pipeline attack, but the impact can be crippling if Singapore is not prepared.

The formation of the Operational Technology Cybersecurity Expert Panel (OTCEP) by the Singapore government is a significant step forward. By tapping the combined experience of industry experts from around the world, Singapore has developed world-class policies and procedures and shared that expertise with the stakeholders responsible for its critical systems.

The 2020 attack on SolarWinds has underscored the vulnerabilities in the software supply chain that could be exploited by threat actors. It revealed how attractive it is for threat actors to attack a trusted supplier to gain access to their intended targets — in this case, multiple US military and government agencies.

In total, the attackers gained access to over 18,000 corporate and government systems at major telecommunications firms, power companies and most of the US Fortune 500 companies. Fortunately, the attackers only chose to exploit a tiny fraction of these beachheads — estimates by the US Cybersecurity and Infrastructure Security Agency (CISA) say under 100, but still it was a tidy day’s work after compromising a single software company.

Since this high-profile incident, software supply chain attacks have been increasing at an alarming rate of 742%, according to Sonatype. Governments in the US and Europe have acknowledged the urgency of this threat, swiftly issuing new legislation and directives. I expect to see other regions follow suit. No country is immune because software supply chains cross borders, and thus cooperation is key. 

I’ve been asked what worries me more, ransomware or supply chain attacks. I usually reply “the combo” because they are not mutually exclusive. Ransomware is the payload; the supply chain is the attack vector. Attackers are beginning to “mix-and-match” their strategies, as we saw in the 2021 Kaseya attack.

Kaseya, which makes software used by many managed security service providers, was the inadvertent vehicle for distributing ransomware to over 800 small and medium-sized businesses (SMBs). Fortunately, most SMBs don’t operate OT systems, but the effectiveness of a hybrid attack was certainly not lost on Singapore’s threat actors and adversaries. 

Ensuring software supply chain security is now a critical aspect of overall business strategy, especially for companies in CII sectors. Transparency across the software supply chain and awareness of all third-party embedded software can help save lives and protect the critical processes and equipment that society relies upon.

With the emergence of disruptive technologies, it is crucial for OT system operators and suppliers to be ready to innovate.

Consider the role of artificial intelligence (AI) in cyber security — will it be a hero or a villain? Researchers have demonstrated how threat actors can take advantage of generative AI systems like ChatGPT to poison the software supply chain. While developers may look to AI to recommend software packages in common repositories, the suggestions they get back often contain “hallucinations” — realistic sounding packages that don’t actually exist. All an adversary needs to do is create a malicious package, name it after the hallucination, and wait for unsuspecting developers to include it in software they create. 

The fact that threat actors are leveraging AI is all the more reason to embrace new technologies to counter their strategies and prevent rather than react to attacks. AI offers powerful analytics capabilities to perform tasks that would otherwise require huge cyber security teams to spend vast amounts of time on tasks better suited for a machine.

For example, the only feasible approach to performing continuous, real-time vulnerability tracking across the many millions of products and vulnerabilities announced each year is to use machine learning and natural language processing. It is simply not a job for human beings, who can add far more value elsewhere. 

Looking forward, expect to see more regulatory initiatives and a growing appetite in the private sector for the same level as transparency that governments are now requiring. Software bill of materials (SBOM) as a form of software attestation is now a mainstream expectation, and tools which generate and manage SBOMs are becoming widespread. Greater visibility into the software supply chain security will become a board-level objective as companies seek to quantify and limit risk.

The pace at which generative AI technology is advancing, and the poor defences we currently see in most software supply chains demand global attention. The OTCEP forum provides an ideal opportunity for OT cyber security practitioners from around the world to share their experiences and learn best practices to enhance Singapore’s OT cyber resilience.  

Eric Byres is a member of Cyber Security Agency of Singapore’s Operational Technology Cybersecurity Expert Panel comprising cyber security experts from around the world. He is also chief technology officer of aDolus Technology, a cyber security research and development company focusing on improving the cyber security of the software supply chain for OT.