Last week, a major global factory and equipment control systems provider warned of potential malware infected USB drives, potentially infected within a third-party supplier’s documentation imaging process. Although the malware was well known and can be mitigated, the development is yet another reminder of the comprehensive threats of supply chain wide vulnerability to cyberattacks.
Context
Among our Ferrari Consulting and Research Group’s 2018 Predictions for Industry and Global Supply Chains was a belief that cybersecurity risk and information safeguarding needs would consume supply chain risk mitigation and actions this year. We included this prediction because of the growing awareness that the supply chain remains the most vulnerable weak link for cyberattack or malware intrusion.
Reality
Thus far, the Supply Chain Matters blog has highlighted a number of concerning incidents thus far. They include a July report that global automaker’ trade secrets may had been exposed when sensitive material involving more than 100 companies that had interacted or performed business with a small Canadian robotics company were found unprotected on the open Internet. That development came shortly after a former disgruntled employee at Tesla Motors allegedly stole intellectual and other confidential information and combined it with falsehoods in leaks to the media. A business network CNBC report at the time indicated that according to a filed Tesla lawsuit, a disgruntled employee admitted to investigators that he wrote software that transferred several gigabytes of data outside the company, including dozens of photographs and a video. In August, we called reader attention to a sobering and eye-catching account of the 2017 malware attack that involved global transportation and other European manufacturers and businesses. Reading the detailed account of how global shipping giant Maersk was by luck, able to avoid a major operational disruption should be a wake-up call for IT teams to have well defined cybersecurity and risk mitigation plans in-place.
Last week featured a report of yet another concerning cyber security risk, this time involving the potential infection of USB devices containing product documentation. Schneider Electric has warned select customers that plug-in drives shipped with some of the firm’s solar power focused Conext Combox and Conext Battery Monitor products were “contaminated” during the manufacturing process. Schneider suspects that the USB media “may have been exposed to malware during manufacturing at a third-party supplier’s facility.” Schneider has informed affected customers that the malware in-question should be detected and blocked by major anti-malware programs and that customers not to utilize the USB flash drives. None the less, customers have been directed to “safely destroy” these drives.
A Schneider Notification issued in late August states in-part:
“These USB removable media contain user documentation and non-essential software utilities. They do not contain any operational software and are not required for the installation,
The commissioning, or operation of the products mentioned above. This issue has no impact on the operation or security of the Conext Combox or Conext Battery Monitor products.”
The Schneider directive concludes with the statement:
“Users are also encouraged to maintain good end point protection including active malware detection and remediation as part of their cybersecurity maintenance program.”
Takeaway Perspective
When we published our 2018 prediction in early January we made mention of a watershed cyber-attack that occurred in late 2017. The suspected state-sponsored hackers targeted Triconex industrial safety technology provided by Schneider Electric. The incident which was confirmed by Schneider and prompted a security alert to customers, is an application used in energy generation facilities including nuclear and oil and gas-powered plants. At the time, sources with knowledge of the attack, prudently declined to identify the source or location of the attack, and published speculation had indicated a possible Middle East based target. According to a published Reuters report, the incident had marked the first report of a safety system breach at an industrial plant. Since that incident, Schneider has been especially attentive to cyber security threats, including the statement noted above.
While this latest development is not at all the scale or magnitude threat of the noted 2017 cyberattack threat, another warning coming from Schneider should be a wake-up call.
While the suspected malware in the USB drives can advisedly to managed and removed by available anti-malware software, the reminder remains that many industrial and operational systems run without timely security patches, software upgrades or anti-malware updates. The notion that product documentation loaded onto a USB device can be a point of information security vulnerability emanating from an external supplier is yet another wake-up call for active cyber-security practices.
Our advisory remains that it is imperative for manufacturing operational and supply chain related teams to actively collaborate with internal IT and supplier IT teams to scope, understand and act relative to vulnerable systems and potential points of supply chain wide malware or cyber threat entry.
Develop and maintain an active cyber threat action and mitigation response plan and insure that it includes mitigating threats across all tiers of supply and product value-chain networks.
Bob Ferrari
© Copyright 2018. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.
