US security agencies warn of threats to industrial and utility control networks
Leading US government security organizations are warning that Industrial Control System (ICS)/Supervisory Control and Data Acquisition (SCADA)-based networks are at risk from bad actors armed with custom software tools.
The Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) issued a joint warning that certain Advanced Persistent Threat actors (APT) have shown the ability to gain full system access to compromised ICS/SCADA systems.
[ Get regularly scheduled insights by signing up for Network World newsletters. ]
The alert did not identify the groups behind the threats, but it did acknowledge Dragos, Mandiant, Microsoft, Palo Alto Networks and Schneider Electric for helping put the warning in place. Dragos posted about part of the threat.
ICS and SCADA systems typically manage and control large industrial systems and utility networks such as power grids, gas pipelines, and water supplies.
The custom tools mentioned in the warning allow attacker groups to find, compromise and control affected devices once they establish initial access to the operational technology (OT) network, CISA said.
“In addition, actors may compromise Windows-based engineering workstations, which may be present in Information Technology (IT) or OT environments, by using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” CISA said.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally in an OT environment, and disrupt critical devices or functions.”
The warning stated that the threat actors had shown the ability to gain full system access to specific devices, including:
- Schneider Electric MODICON and MODICON Nano PLCs including (but not limited to) TM251, TM241, M258, M238, LMC058 and LMC078.
- OMRON Sysmac NJ and NX PLCs including (but not limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK and R88D-1SN10F-ECT.
- OPC Unified Architecture (OPC UA) servers.
The tools have a modular architecture and allow cyber actors to conduct highly automated exploits against targeted devices, CISA said. The tools feature a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device.
“The modules interact with the targeted devices, allowing the operations of less skilled cyber actors to emulate the capabilities of more skilled actors,” CISA said. “APT actors can take advantage of modules to search for targeted devices, perform device detail reconnaissance, download malicious code/configuration to the targeted device, backup or restore device content, and modify device settings.”
Industrial SCADA and ICS systems have been under threat for years from state and other actors. More recently, threats have emanated from Russia as it faces global sanctions and isolation due to its war on Ukraine. Reports this week linked Russian hackers to a failed attack on Ukraine’s power grid.
In March, the US Department of Justice released indictments against three Russian Federal Security Service agents and an employee of the Russian Federation’s Central Scientific Research Institute of Chemistry and Mechanics for their involvement in intrusion campaigns against US and international oil refineries, nuclear facilities and energy companies between 2012 and 2018.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure in the United States and around the world,” Deputy Attorney General Lisa O. Monaco said in a statement. “While the criminal charges unveiled today reflect past activity, they clearly demonstrate the urgent and ongoing need for corporate America to strengthen their defenses and remain vigilant.”
The DOE, CISA, NSA, and FBI recommend that all organizations with ICS/SCADA devices harden their systems by:
- Isolate ICS/SCADA systems and networks from corporate networks and the Internet using strong perimeter controls, and limit all communications entering or leaving ICS/SCADA perimeters.
- Limiting network connections of ICS/SCADA systems to only specifically authorized management and engineering workstations.
- Enforce multi-factor authentication for all remote access to ICS networks and devices where possible.
- Change all device and ICS/SCADA system passwords on a consistent schedule, especially all default passwords, to strong passwords unique to the device to mitigate password brute force attacks and to give defender monitoring systems the ability to detect common attacks.
- Maintain good offline backups for faster recovery in the event of a disruptive attack, and perform hash and integrity checks on firmware and controller configuration files to ensure the validity of these backups.
Copyright © 2022 IDG Communications, Inc.