SolarWinds, SunSpec Blockchain, and the Security of Software Updates

SolarWinds, SunSpec Blockchain, and the Security of Software Updates

  • Post author:

While the cybersecurity world was occupied analyzing the epic SolarWinds attack, the SunSpec Alliance quietly released its SunSpec Blockchain specification for public comment.  Those familiar with the SunSpec effort know that it addresses supply chain cybersecurity attacks.  So the obvious question is- how does SunSpec Blockchain prevent attacks such as SolarWinds?  

SolarWinds is a supply chain attack.  In the cybersecurity world a supply chain attack refers to a breach that originates through a supplier.  For example, if you are a company and you rely on a third-party supplier for payroll, a supply chain attack would first compromise your payroll supplier, and then exploit your trust in the payroll supplier to attack your infrastructure.  SolarWinds is a supplier of cybersecurity monitoring software to hundreds of thousands of companies.  A foreign attacker was able to compromise SolarWinds’ software update system to download malicious code to tens of thousands of SolarWinds software installations at customer sites.  The attacker then used the malicious code as an entry point into other parts of the corporate network.

SunSpec Blockchain addresses a certain kind of supply chain attack- attacks that steal cryptographic private keys (see our October 2019 blog post).  Private keys are an integral part of software update systems such as those used by SolarWinds and they can be compromised if not managed correctly.  For example, in 2015 DLink exposed its software update private key and hackers used it to push malicious code to DLink routers.  In SolarWinds’ case it is unlikely the attackers stole SolarWinds’ private key and used it to sign malicious code.  They most likely targeted systems further upstream.  However, we do know that the attackers showed a tremendous amount of patience in understanding SolarWinds’ development process to discover the weaknesses.  Cybersecurity is only as strong as its weakest link, and if a code signing private key is not protected correctly, persistent hackers will exploit it to do the same damage as they did with SolarWinds.

The most sophisticated hackers in the world are targeting supply chains to wreak havoc.  The time is now to tighten up security at all stages of the supply chain, not just the ones that were exploited at SolarWinds.  This includes ensuring the security of private keys.  If you are a supplier of solutions that help secure private keys, please reach out to join our industry-wide effort.  If you are a corporation that wants visibility into how your suppliers secure their private keys, please contact us.  Don’t wait for a big private key attack to take action- it might be too late.