Insights blog.

The SolarWinds supply chain attack did more than just create cybersecurity problems for businesses and government agencies – it has had a strong impact on the mindset of CISOs. Already under stress, the incident further dispirited many CISOs who continually face escalating cyber threats. The SolarWinds hack was the latest – and biggest – shot across the bow. 

The SolarWinds hack, discovered in late 2020 when FireEye announced it had been targeted through a third party vulnerability, has now become one of the most widespread and impactful supply chain attacks in history. 

In light of the cyber attack targeting SolarWinds, security and risk professionals are working to identify instances of the Orion software within their organization -- including their broader partner ecosystem -- and reduce their exposure.  How responsive have organizations been to the SolarWinds hack?  

The cyber attack targeting SolarWinds, a provider of network and system monitoring software, is shaping up to be one of the most significant attacks against a critical supply chain partner, with significant implications for national security. Similar to NotPetya, the attackers compromised a software provider in order to gain access to the trusted update channel. Any organization using specific versions of the SolarWinds Orion Network Configuration Manager (SolarWinds Orion) product is presumed to be at risk.   

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to infect upstream companies — particularly those in the energy sector — with the Kwampirs malware, a remote access trojan (RAT).

On October 20th, 2019, authorities in India confirmed that one of its nuclear power plants had been hacked. The malware attack on the Kudankulam Nuclear Power Plant (KKNPP), first noticed on September 4th, has since been attributed to the North Korean state-sponsored threat group known as Lazarus.

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability of bulk electric systems (BES).

The development and deployment of software applications is inherently risky; a number of things can go wrong both during development and after launch. Project and product managers must stay aware of risks coming from a variety of areas, including:

On October 15, 2015, UltraDNS experienced a technical issue that led to a widely publicized outage, bringing down websites for Netflix, Expedia, and others for over an hour. In a separate incident on April 8, 2015, Sendgrid, a cloud-based email delivery service, experienced a breach where an undisclosed number of customers and employee usernames, email addresses, and passwords were stolen using a compromised employee email account. Bitsight has just published its latest Bitsight Insights report, Risk Degrees of Separation: The Impact of Fourth Party Networks on Organizations, finding that a surprising number of companies examined were associated with these and other popular cloud providers.

On August 24, 1992, Hurricane Andrew devastated South Florida and Louisiana, leaving a trail of destruction in its path. The estimated payout from insurance claims totaled $15.5 billion ($26.4 billion in 2015 dollars). Due to the overwhelming number of claims filed, 11 insurance companies went bankrupt and some reports show that if the path of the storm had directly crossed Miami, the entire insurance industry could have collapsed. As a result of the massive tragedy, the insurance industry restructured their approach to risk modeling and began to focus on aggregate risk.

Many of the facts surrounding the Target breach still remain unclear, even as details continue to emerge publicly. We still don’t know what the final tally of breached organizations will be, but the list keeps growing. In addition to who else has been breached and the impact on their customers, another factor we need to consider is how Target's business partners may be impacted. In a data breach on any retailer, card issuers, payment processors, insurers, suppliers and other parties may face substantial loss as the investigation and recovery costs ripple through these networks.