Key US government security organizations are warning that industrial control system (ICS)/supervisory control and data acquisition (SCADA)-based networks are being threatened by bad actors armed with custom software tools.
The Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint warning that certain advanced persistent threat (APT) actors have shown the ability to gain full system access to compromised ICS/SCADA systems.
The alert did not identify which groups were making the threats, but it did recognize Dragos, Mandiant, Microsoft, Palo Alto Networks and Schneider Electric for helping put together the warning. Dragos has posted a paper about part of the threat.
ICS and SCADA systems typically manage and control large industrial systems and utility networks such as power grids, gas pipelines and water supplies.
The custom tools referred to in the warning enable attack groups to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network, CISA stated.
“Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” CISA stated.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”
The warning said the threat actors had exhibited the capability to gain full system access to specific devices including:
- Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078.
- OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT.
- OPC Unified Architecture (OPC UA) servers.
The tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices, CISA stated. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device.
“Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities,” CISA stated. “The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.”
Industrial SCADA and ICS systems have been threatened for years by state actors and others. Most recently threats have emanated from Russia as it faces world-wide sanctions and isolation because of its war against Ukraine. Reports this week tied Russian hackers to a failed attack on Ukraine’s electric grid.
In March the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics employee for their involvement in intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies between 2012 and 2018.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”
DOE, CISA, NSA and the FBI recommend all organizations with ICS/SCADA devices harden their systems by:
- Isolating ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
- Limiting ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
- Enforcing multifactor authentication for all remote access to ICS networks and devices whenever possible.
- Changing all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute-force attacks and to give defender monitoring systems opportunities to detect common attacks.
- Maintaining known-good offline backups for faster recovery upon a disruptive attack, and conducting hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
Copyright © 2022 IDG Communications, Inc.