The LockBit ransomware group that we blogged about before has been known to target UK institutions in particular, have taken credit for the attack. It’s not yet known how they managed to infiltrate Zaun. At this point, one question to ask, given the sensitivity around their projects: What security controls were in place at Zaun and why did they fail to stop the attackers?
We do not know their internal security posture, but we do know that not enough suppliers to critical National security systems in the UK and governments have adequate security controls in place, undermining the entire national security ecosystem of the country in question.
You could make the argument that Zaun are “only” a fencing manufacturer, and that despite being hacked, very little information came out other than information around the fencing that is in place at the military and defence installations. However, it is symbolic of the issues that the UK and other governments have when it comes to supply chain security.
So what can suppliers do better?
Properly segregating systems that handle secure information is a good place to start. This is by far the most important point on how suppliers can do better. A poorly segregated network is one that is primed for attack. Most businesses will do business with regular organisations that is away from sensitive work. This work should be segregated off, even if it is just processing purchase orders, as hinted with the Zaun attack.
Use secure hardware to provide segregation including Hardsec and FPGAs
Simply having a segregated network away from normal business activities is not ideal as communications still need to happen to and from the segregated network. So most organisations here usually opt for a diode. However, data diodes fall short when two-way, reliable communications become a requirement.
That's where a FPGA-based hardware security solution comes in. It provides is the ability, in hardsec, to connect a suppliers segregated network to their normal corporate operations, in a seamless way without compromising on security.
Implement access controls
Securing a segregated network hinges on the effective implementation of access controls. These controls serve as the “protectors” to the segregated network, ensuring that only approved individuals can enter and interact with the network. By defining who has access to which resources and under specific circumstances, suppliers for national security can significantly reduce the risk of unauthorized entry and potential security breaches. These access control encompass a range of measures, including user authentication methods like passwords, biometrics, or two-factor authentication, as well as role-based permissions that limit individuals to only the data and systems relevant to their job roles.
The NCSC has a useful guide on implementing access controls. In my view, regularly monitoring and auditing these controls is imperative to adapt to evolving threats and uphold a secure segregated network environment. But, there's still more that can be done.
Stop the Insider Threat
The final key part to ensuring a supplier to national security is not compromised is stopping the insider threat. Whilst Zaun was not compromised through an insider (as far as we know), that is not to say other suppliers to Critical National Infrastructure and National Security have not fallen foul to insiders. In 2022, Xiaoqing Zheng was deemed to have committed economic espionage by embedding sensitive documents around Wind Turbines into images and sending them to his personal machine, which were later sent to contacts in China.
Steganography is a useful tool for malicious employees as it is virtually undetectable using standard commercial DLP tools. It is just one of a number of ways that a compromised employee may try and leak sensitive data out of a corporate network and this is something that suppliers to National Security should be aware of as these organisations in particular are likely to be targeted by nation states.
However, Forcepoint has two products that can help with this risk. The first is the Forcepoint Insider Threat product range. Our insider threat identifies potentially malicious activity and can alert an operator if that suspicious activity warrants further investigation. The second is Zero Trust CDR. Zero Trust CDR is a unique product which does not use detection to find threats, but instead simply looks for the parts of the document that can only be safe objects, to create the same visual representation on a new document without those threats but ensures that the new document is completely threat free.