Dive Brief:

• The SolarWinds malware was so widespread that indicators of compromise (IOC) have been found on computer networks that did not utilize the compromised system monitoring platform, federal regulators said last week in a new report on fallout from the attack.
• The electric sector must demonstrate "continued vigilance" in order to protect the grid from hackers, according to the joint white paper prepared by staff of the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation's (NERC) Electricity Information and Analysis Sharing Center.
• In response to a rise in cyberattacks on critical infrastructure, a House Energy and Commerce subcommittee on Tuesday announced a July 20 hearing to examine the growing threat. The hybrid event, "Stopping Digital Thieves: The Growing Threat of Ransomware," will look at recent attempts to disrupt the U.S. energy, food and water sectors.

Dive Insight:

The massive SolarWinds breach, along with recent attacks on Colonial Pipeline, the meat processing giant JBS and the water treatment facility for Oldsmar, Florida, have alarmed government and industry, highlighting vulnerabilities across U.S. critical infrastructure.

"Ransomware attacks are a rising national security threat, having devastated both private businesses and some of our most critical infrastructure in the last few years," Rep. Frank Pallone Jr., D-N.J., said in a joint statement with Rep. Diana DeGette, D-Colo.

Pallone chairs the House Energy and Commerce Committee and DeGette leads its Oversight and Investigations subcommittee, which will host the hearing. The event was announced a week after FERC and NERC warned the electric sector must remain on constant guard, with recommendations from their white paper including checking networks for IOCs regardless of whether the SolarWinds platform was used.

IOCs "have been found on networks without SolarWinds," the report said. "Although SolarWinds may not have been used by entities, their key suppliers may use the product. Should the suppliers be compromised, the supplier in turn could compromise their customers, including those without SolarWinds."

The SolarWinds attack exposed about a quarter of North American utilities, according to NERC. No subsequent activity from hackers was detected beyond the initial breach, however. 

There is evidence, the NERC-FERC report says, that technology firms were targeted for the potential to spread the malware and that it may be more difficult to remove than previously thought.

While SolarWinds software has been updated since the attack, the white paper notes the U.S. Cybersecurity and Infrastructure Security Agency has warned of vulnerabilities "that are unrelated to the inserted malicious code and may therefore survive its removal." 

Finding IOCs on networks that did not utilize SolarWinds is likely because "components are sometimes included in other software products, presumably to make monitoring easier," security consultant Tom Alrich said in an email.

Alrich has been involved in the development of a transparency initiative at the U.S. Department of Commerce's National Technology and Information Administration, to pilot the use of Software Bill of Materials (SBOMs) in the energy sector. SBOMs indicate what components are in a piece of software, allowing end users to track and patch vulnerabilities.

President Joe Biden issued an executive order in May to require SBOMs in government procurements, to allow for more efficient tracking of known vulnerabilities.

"This is a good example of how having SBOMs for the software you use can help you in risk management," Alrich said. The tool would allow companies to quickly answer the question, he said, "are we running SolarWinds components anywhere on our network?"

Lila Kee, chief product officer at GlobalSign and manager of the company's North and South American operations, said in an email that the SolarWinds attack "changed the cybersecurity game for the electricity industry." The company is a provider of digital identity solutions, and has been advocating for FERC to require utilities to use SBOMs. 

"This will enable electricity providers to have a much clearer view of their software supply chain," Kee said. An SBOM recommendation was not included in the NERC-FERC white paper.

"I am not that surprised since our recommendation to FERC is still being evaluated. I'm hopeful that, in its next set of recommendations, the SBOM approach will be included," Kee said. "Because understanding what's in your supply chain is absolutely critical."

The white paper did include a host of other recommendations however, including that companies in the energy space "consider a systemic risk-based approach for protecting the most critical of the critical assets" and implement the National Institute of Standards and Technology cybersecurity framework and baseline critical access and administrative privileges.

The report "provides a solid foundation for responding to these particular events," Syed Belal, director of operational technology cybersecurity consulting services at Hexagon PPM, said in an email. "The actions and remediations recommended provide concrete steps to help prevent these specific attacks."

However, Belal added that companies must be concerned about the next attack.

"While prevention is important, companies should assume their systems will be infiltrated and should invest in processes and technologies that will allow them to minimize the impact of such attack and restore operations as quickly as possible," he said.