Hackers Plan Attacks On Key US Industrial Control Systems

Hackers have developed new custom tools to gain full system access to a number of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, according to the US Cybersecurity and Infrastructure Security Agency (CISA). 

The Department of Energy, US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and FBI urged critical infrastructure operators to upgrade the security of these devices and networks in a joint cyber security advisory notice. 

"The APT actors have developed custom-made tools for targeting ICS/SCADA devices," the multiple US agencies said in an alert. "The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network." the notice said. 

One of the cyber security firms involved, Mandiant, said in a report that the tools’ functionality was “consistent with the malware used in Russia’s prior physical attacks” though it acknowledged that the evidence linking it to Moscow is “largely circumstantial”.

This warning states that certain advanced persistent threat actors have developed new custom tools that have the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:   

  • OMRON Sysmac NEX PLCs
  • Open Platform Communications Unified Architecture (OPC UA) servers.

The custom tools are designed to target programmable logic controllers from large companies such as Schneider Electric. CISA says the tools allow for "highly automated exploits" against targeted devices,  although CISA does say there is a low risk that the tools will lead to highly automated exploits against devices in the critical infrastructure sector being targeted. 

The agencies are urging organisations to "isolate ICS/SCADA systems and networks from corporate and Internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters."  They also recommend using multi-factor authentication for remote access to ICS networks and devices, to change all passwords to them regularly, and remove all default passwords.   

Security firm Dragos, which specialises in ICS, has named one of the new custom tools 'Pipedream' and say this is the seventh such ICS specific malware they have seen. Dragos has traced the tool back to an advanced persistent threat actor called Chevronite. Mandiant has named the malware INCONTROLLER after working with Schneider Electric to analyse it.

The government agencies are urging critical infrastructure organisations, particularly those in the energy sector, to put in place recommended detection and mitigation processes, including using strong perimeter controls to isolate ICS and SCADA system and networks from corporate and Internet networks and limit communications entering or leaving those perimeters. They also recommend using multifactor authentication for remote access to ICS networks and devices.

Along with isolating ICS and SCADA systems and leveraging multifactor authentication, the US agencies also are recommending such steps as having a cyber-incident plan in place. Also, they advise users to change all passwords and use strong passwords, maintain backups, implementing strong log collection and retention from ICS and SCADA systems and ensuring that applications are installed only when necessary for operation. 

CISA:    Reuters:      InfoSec Today:     Guardian:     Oodaloop:     ZDNet:     The Register:   The Hackers News:

You Might Also Read:   

Operating Technology Security Issues Are Increasing:
 

« Pegasus Spyware Used To Target British Prime Minister
The Vital Importance Of Pen Testing »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

ExaGrid Systems

ExaGrid Systems

ExaGrid provides Tiered Backup Storage with a unique disk-cache Landing Zone, long-term retention repository, and scale-out architecture.

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

Lockton

Lockton

Lockton is the world’s largest privately owned insurance brokerage firm. Commercial services include Cyber Risk insurance.

HyTrust

HyTrust

HyTrust specialises in security, compliance and control software for virtualization and cloud environments.

Exostar

Exostar

Exostar is the cloud platform of choice for secure enterprise and supply chain collaboration solutions and identity and access management expertise.

Cyber London (CyLon)

Cyber London (CyLon)

CyLon is a leading cyber security accelerator and seed investment programme. We help entrepreneurs from across the globe to build cyber security businesses, raise investment, and develop partnerships.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

Highland Capital Partners

Highland Capital Partners

Highland Capital Partners is an early stage venture capital firm focused on category-defining businesses in consumer and enterprise technology, including cybersecurity.

IP Twins

IP Twins

IP Twins offer a wide range of services related to domain names and online brand protection.

BullGuard

BullGuard

BullGuard is an award-winning cybersecurity company focused on providing the consumer and small business markets with the confidence to use the internet in absolute safety.

Sprint Networks

Sprint Networks

Sprint Networks is a trusted compliance and risk program advisor which deliver cost-effective technology to reduce enterprise-wide risk.

Cado Security

Cado Security

Cado Security is pushing digital forensics, and cyber incident response to the next level with an incident response software platform and specialist consulting services.

AutoSec

AutoSec

AutoSec supports the FFI program Electronics, Software and Communication by dissemination and exploitation of the results of projects related to automotive cybersecurity.

Intuitive Research & Technology Corp

Intuitive Research & Technology Corp

Intuitive Research and Technology is an aerospace engineering and analysis firm providing services to the Department of Defense, government agencies, and commercial companies.

Vertek

Vertek

Vertek is a leading provider of operations consulting, end-to-end business process outsourcing, business intelligence, software applications and managed cybersecurity solutions.

Soteria LLC

Soteria LLC

Soteria LLC are a client-focused organization providing expert advisory, consulting services, and tailored solutions to prevent, detect, and respond to cybersecurity incidents.