Hackers Plan Attacks On Key US Industrial Control Systems

Hackers have developed new custom tools to gain full system access to a number of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, according to the US Cybersecurity and Infrastructure Security Agency (CISA). 

The Department of Energy, US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and FBI urged critical infrastructure operators to upgrade the security of these devices and networks in a joint cyber security advisory notice. 

"The APT actors have developed custom-made tools for targeting ICS/SCADA devices," the multiple US agencies said in an alert. "The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network." the notice said. 

One of the cyber security firms involved, Mandiant, said in a report that the tools’ functionality was “consistent with the malware used in Russia’s prior physical attacks” though it acknowledged that the evidence linking it to Moscow is “largely circumstantial”.

This warning states that certain advanced persistent threat actors have developed new custom tools that have the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:   

  • OMRON Sysmac NEX PLCs
  • Open Platform Communications Unified Architecture (OPC UA) servers.

The custom tools are designed to target programmable logic controllers from large companies such as Schneider Electric. CISA says the tools allow for "highly automated exploits" against targeted devices,  although CISA does say there is a low risk that the tools will lead to highly automated exploits against devices in the critical infrastructure sector being targeted. 

The agencies are urging organisations to "isolate ICS/SCADA systems and networks from corporate and Internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters."  They also recommend using multi-factor authentication for remote access to ICS networks and devices, to change all passwords to them regularly, and remove all default passwords.   

Security firm Dragos, which specialises in ICS, has named one of the new custom tools 'Pipedream' and say this is the seventh such ICS specific malware they have seen. Dragos has traced the tool back to an advanced persistent threat actor called Chevronite. Mandiant has named the malware INCONTROLLER after working with Schneider Electric to analyse it.

The government agencies are urging critical infrastructure organisations, particularly those in the energy sector, to put in place recommended detection and mitigation processes, including using strong perimeter controls to isolate ICS and SCADA system and networks from corporate and Internet networks and limit communications entering or leaving those perimeters. They also recommend using multifactor authentication for remote access to ICS networks and devices.

Along with isolating ICS and SCADA systems and leveraging multifactor authentication, the US agencies also are recommending such steps as having a cyber-incident plan in place. Also, they advise users to change all passwords and use strong passwords, maintain backups, implementing strong log collection and retention from ICS and SCADA systems and ensuring that applications are installed only when necessary for operation. 

CISA:    Reuters:      InfoSec Today:     Guardian:     Oodaloop:     ZDNet:     The Register:   The Hackers News:

You Might Also Read:   

Operating Technology Security Issues Are Increasing:
 

« Pegasus Spyware Used To Target British Prime Minister
The Vital Importance Of Pen Testing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

GovCERT.CZ

GovCERT.CZ

GovCERT.CZ is the Government Computer Emergency Response Team of the Czech Republic.

OSSEC

OSSEC

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).

CyberSeek

CyberSeek

CyberSeek provides detailed, actionable data about supply and demand in the cybersecurity job market.

NSIDE Attack Logic

NSIDE Attack Logic

NSIDE Attack Logic simulates real-world cyber attacks to detect vulnerabilities in corporate networks and systems.

Scientific Cyber Security Association (SCSA)

Scientific Cyber Security Association (SCSA)

The main goal of Scientific Cyber Security Association is the development of scientific and practical directions of cyber security.

Elevate Security

Elevate Security

Elevate is the leading Security Behavior Platform, changing employee security habits while giving security teams unprecedented visibility.

Unlimited Technology

Unlimited Technology

Unlimited Technology offers a wide range of talent and experience, from assessing your requirements to implementing technologically advanced security solutions to best fit your needs.

Activu

Activu

Activu makes any information visible, collaborative, and proactive for people tasked with monitoring critical operations including network security.

Thistle Technologies

Thistle Technologies

Thistle Technologies is building tools that help connected device manufacturers build security resiliency into devices.

Suridata

Suridata

Suridata’s SaaS Security platform enables organizations to secure the use of SaaS applications.

SGTech

SGTech

SGTech is the leading trade association for Singapore's tech industry, offering focused support and development to both strategic and emerging sectors in the industry.

StrongBox.Academy

StrongBox.Academy

StrongBox.Academy provides cybersecurity training courses that are tailored to the specific needs and challenges of the industry.

RADICL

RADICL

RADICL's mission is to give SMBs that serve America's Defense Industrial Base (DIB) access to strong, enterprise-grade cyber security protection.

Uptime Institute

Uptime Institute

Uptime Institute is an unbiased advisory organization focused on improving the performance, efficiency, and reliability of business critical infrastructure.

B&L PC Solutions

B&L PC Solutions

B&L PC Solutions deliver top cyber security services on Long Island and New York city to protect businesses from evolving online threats.

Prizsm Technologies

Prizsm Technologies

Prizsm is a computational storage capability that provides flexible, easy-to-use, resilient solutions for quantum-resistant, hyper-secure cloud storage and communications.