Threat actors have developed offensive cyber tools that target these systems and can scan for, compromise, and control targeted devices by breaching the operational technology (OT) network, the report added. The threat actors in question have not been identified in CISA’s alert.
Schneider, Omron, OPC UA Systems in the Crosshairs
The Department of Energy (DOE), the Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have joined forces to fight APT (Advanced Persistent Threat) actors targeting critical infrastructure, the report stated. Schneider’s Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers are now at risk, the report added. These systems are at risk of brute-force attacks, denial-of-service attacks, credential capture, and even hardware crashes as a result of “packet of death” attacks.
Custom-Made Offensive Cyber Tools
High-profile threat actors have crafted custom-made cyber tools to compromise critical infrastructure, the report stated. An “ICS-specific” malware (malicious software) dubbed “PIPEDREAM” developed by the “Chernovite Activity Group (AG)” is suspected to be the weapon of choice here, cybersecurity company Dragos stated in their news blog. Mandiant threat intelligence dubbed the malware “INCONTROLLER” — a novel software weapon “built to target machine automation devices” across multiple industries, wrote Mandiant. Mandiant believes the malware can be correlated with Russian cyber-physical (CPS) attacks on Ukraine between 2015 and 2016. “The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices,” CISA said. In addition to this, APT threat actors have been discovered using a tool that exploits known vulnerabilities in ASRock-signed motherboard drivers via Windows Kernel. This allows cybercriminals to “move laterally within an IT or OT environment” which in turn allows them to compromise critical devices and functions, CISA wrote.
Which ICS/SCADA Devices are Vulnerable?
According to authorities, the following devices are at risk:
Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078 OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT OPC Unified Architecture (OPC UA) servers
ICS and SCADA systems are usually installed to control and manage substantial industrial systems and networks such as water supplies, gas pipelines, and power grids.
Recommended Security Mitigations
There are several emergency security approaches posted by CISA for US agencies that enable network defenders “to begin efforts to protect systems and devices from new capabilities.” The DOE, CISA, NSA, and the FBI recommend the following steps for all organizations that use ICS/SCADA devices:
Isolating systems and networks using strong perimeter controls Enforcing multifactor authentication for ICS networks and devices wherever possible Including a cyber incident response plan and exercising it regularly Changing all passwords on all devices and systems on a consistent schedule Maintaining backups, especially offline backups Limit systems access to only specifically allowed management and engineering stations Configuring DeviceGuard, Credential Guard, and Hypervisor Code Integrity (HVCI) Implementing robust log collection across systems Leveraging a continuous OT monitoring solution Enforcing principles of least privilege Monitoring systems for loading of unusual drivers, particularly ASRock drivers
For more in-depth security mitigation information, please refer to the original CISA report.
Critical Infrastructure Attacks
As the digital transformation of industrial sectors takes hold, attacks on critical infrastructure and CPS systems like ICS/SCADA and others can wreak havoc on an entire nation’s fundamental lifelines. This has been the case many times over the years in cases such as the Colonial Pipeline attack in 2021, the attack that disrupted Toyota’s business operations last month, an attempt to poison the Florida water supply, and several others. For these reasons, the private sector is working on protecting industrial systems in several critical sectors such as energy, automotive, banking, and semiconductor sectors via a new consortium called the Operational Technology Cybersecurity Coalition (OTCSA), The Register said in a report.