CISA urges affected organizations to take action in response to exploitation of SolarWinds software

by Paul Ciampoli
APPA News Director
December 14, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) on Dec. 13 said that it is aware of active exploitation of a vulnerability in versions of the SolarWinds Orion Platform software.

Versions 2019.4 through 2020.2.1 of the software were released between March 2020 through June 2020.

CISA, which falls under the purview of the Department of Homeland Security (DHS), is encouraging affected organizations to read SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures. FireEye is a cybersecurity firm.

In its security advisory, SolarWinds said it was made aware that its systems “experienced a highly sophisticated, manual supply chain attack” on SolarWinds Orion Platform software builds.

“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” SolarWinds said.

In the security advisory, SolarWinds offers several steps for parties to take related to use of the SolarWinds Orion Platform.

Meanwhile, DHS on Dec. 13 said that the relevant SolarWinds Orion products are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems, DHS said. Disconnecting affected devices is the only known mitigation measure currently available, it said.

DHS said that CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to federal civilian executive branch agencies and requires emergency action.

This determination is based on: (1) Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems; (2) High potential for a compromise of agency information systems; and (3) Grave impact of a successful compromise.

“CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise,” DHS said.

ESCC

“The electric power industry takes all vulnerabilities and threats to the energy grid and our supply chains very seriously, including the latest SolarWinds Orion Platform vulnerability that cuts across many sectors,” the CEO-led Electricity Subsector Coordinating Council (ESCC) said in a Dec. 14 statement.

The ESCC “is highly engaged and already has conducted a situational awareness call on this threat,” the ESCC said.

The North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center (E-ISAC) also has provided potential indicators of compromise and other technical data that electric companies, public power utilities, electric cooperatives, and independent power producers in North America are utilizing to run comprehensive diagnostics of their systems to identify and to remediate any threat exposure, the ESCC noted.

“This information sharing is representative of the strong industry-government partnership that the ESCC embodies and is vital to guarding the energy grid from all possible threats,” the ESCC said.

Public power utilities should follow the guidance from the E-ISAC “as well as the Cybersecurity and Infrastructure Security Agency (CISA) as this situation unfolds,” said Sam Rozenberg, CPP and Director of Security and Resilience at the American Public Power Association.

Questions related to this development can be directed to: Cybersecurity@PublicPower.org.