Hackers Plan Attacks On Key US Industrial Control Systems

Hackers have developed new custom tools to gain full system access to a number of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, according to the US Cybersecurity and Infrastructure Security Agency (CISA). 

The Department of Energy, US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and FBI urged critical infrastructure operators to upgrade the security of these devices and networks in a joint cyber security advisory notice. 

"The APT actors have developed custom-made tools for targeting ICS/SCADA devices," the multiple US agencies said in an alert. "The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network." the notice said. 

One of the cyber security firms involved, Mandiant, said in a report that the tools’ functionality was “consistent with the malware used in Russia’s prior physical attacks” though it acknowledged that the evidence linking it to Moscow is “largely circumstantial”.

This warning states that certain advanced persistent threat actors have developed new custom tools that have the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:   

  • OMRON Sysmac NEX PLCs
  • Open Platform Communications Unified Architecture (OPC UA) servers.

The custom tools are designed to target programmable logic controllers from large companies such as Schneider Electric. CISA says the tools allow for "highly automated exploits" against targeted devices,  although CISA does say there is a low risk that the tools will lead to highly automated exploits against devices in the critical infrastructure sector being targeted. 

The agencies are urging organisations to "isolate ICS/SCADA systems and networks from corporate and Internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters."  They also recommend using multi-factor authentication for remote access to ICS networks and devices, to change all passwords to them regularly, and remove all default passwords.   

Security firm Dragos, which specialises in ICS, has named one of the new custom tools 'Pipedream' and say this is the seventh such ICS specific malware they have seen. Dragos has traced the tool back to an advanced persistent threat actor called Chevronite. Mandiant has named the malware INCONTROLLER after working with Schneider Electric to analyse it.

The government agencies are urging critical infrastructure organisations, particularly those in the energy sector, to put in place recommended detection and mitigation processes, including using strong perimeter controls to isolate ICS and SCADA system and networks from corporate and Internet networks and limit communications entering or leaving those perimeters. They also recommend using multifactor authentication for remote access to ICS networks and devices.

Along with isolating ICS and SCADA systems and leveraging multifactor authentication, the US agencies also are recommending such steps as having a cyber-incident plan in place. Also, they advise users to change all passwords and use strong passwords, maintain backups, implementing strong log collection and retention from ICS and SCADA systems and ensuring that applications are installed only when necessary for operation. 

CISA:    Reuters:      InfoSec Today:     Guardian:     Oodaloop:     ZDNet:     The Register:   The Hackers News:

You Might Also Read:   

Operating Technology Security Issues Are Increasing:
 

« Pegasus Spyware Used To Target British Prime Minister
The Vital Importance Of Pen Testing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Malwarebytes

Malwarebytes

Malwarebytes provides artificial intelligence-powered technology that stops cyberattacks before they can compromise computers and endpoints.

sic[!]sec

sic[!]sec

sic[!]sec provide products and services for web application security.

SEWORKS

SEWORKS

SEWORKS provides offensive and defensive app security that ensures mobile and web apps are safe from dangerous hacking threats.

Lynx Technology Partners

Lynx Technology Partners

Lynx Technology Partners is a full service, full life-cycle risk-based security consulting firm.

BehavioSec

BehavioSec

BehavioSec uses the way your customers type, swipe, and hold their devices, and enables them to authenticate themselves through their own behavior patterns.

CSIRT-IE

CSIRT-IE

CSIRT-IE is the body within the NCSC that provides assistance to constituents in responding to cyber security incidents at a national level for Ireland.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

The main objective of the Hub is to bring cybersecurity and other advanced technologies closer to companies and as a result help to increase their performance as Industry 4.0.

Alyne

Alyne

Alyne is a Munich based 2B RegTech offering organisations risk insight capabilities through a Software as a Service.

ThreatAware

ThreatAware

Total visibility of your business cybersecurity. Monitoring, management and compliance for your cybersecurity tools, people and processes from one easy to use dashboard.

Jobsora

Jobsora

Jobsora is an innovative job search platform in the UK and more than 35 other countries around the world. Sectors covered include IT and cybersecurity.

Octiga

Octiga

Octiga is an office 365 cloud security provider. It offers Office 365 monitoring, incident response and recovery tools.

Artifice Security

Artifice Security

Artifice Security will demonstrate real-world attacks on your network, web applications, infrastructure, and personnel to expose your hidden security risks.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

Vectra AI

Vectra AI

Vectra threat detection & response - see and stop threats across hybrid and multi-cloud enterprises.

Halcyon

Halcyon

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks.

Vorlon

Vorlon

Vorlon's agentless patent-pending solution facilitates risk profiling of apps, and provides AI-driven behavioral analytics with response recommendations.