Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Time to focus on ICS/SCADA. Isolating ICS/SCADA networks and limiting connections, along with strong passwords/monitoring, aren't new mitigations but they help critical infrastructure defenders prevent disruptions stop threat actors from their objectives. https://t.co/oEwFee2Cbd
— Dave Luber (@NSA_CSDirector) April 13, 2022
Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) device vulnerabilities are, arguably, the threat surfaces that are of the utmost concern to cyber and homeland security professionals. If ICS/SCADA devices are mission-critical to your organization, the Joint Cybersecurity Advisory (CSA) released this week by multiple U.S. agencies is a must-read.
A unique element of this CSA is the direct contribution made by the private sector to the research included in the advisory: “‘This is the most expansive industrial control system attack tool that anyone has ever documented,’ says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “’It’s like a Swiss Army knife with a huge number of pieces to it.’” (1)
For our readership for whom this cyber threat is of less direct concern, we still encourage you to at least take a cursory look at the alert, as there may be ancillary impacts on your broader cybersecurity efforts. There is also an argument that (due to the cyber threat climate created by the Ukrainian Crisis) the cybersecurity community (broadly speaking) should have a basic working knowledge of these hardware-level vulnerabilities. As a result, This post is both an introductory overview and comprehensive as needed (depending on your level of concern and interest in the implications of the CSA).
🛡SHIELDS-UP: @CISAgov is working closely w/our partners @_CERT_UA to exchange info about new malware affecting the Ukrainian energy grid & coordinate with our #JCDC & US gov partners to protect US infrastructure. https://t.co/noCFT0QNm8 https://t.co/BrRYJNV9rM
— Jen Easterly🛡️ (@CISAJen) April 12, 2022
The README cybersecurity site on Medium (published by Synack) provides an overview of the emergence of the ICS/SCADA malware which prompted the U.S. Joint Cybersecurity Advisory this week:
The last example of malware tailor-made to twist a knife into critical infrastructure networks’ ICS underbelly emerged in 2017. Now, two ICS-focused malware variants have come to light in the same week, an unprecedented escalation in control system threats that’s ringing alarm bells from Kyiv to Washington. Unlike the Triton malware, which caused a string of outages at a major Saudi Arabian petrochemical plant in 2017, the latest two ICS cyber threats, dubbed Industroyer2 and Pipedream, evidently failed to cause disruptions.
The rise of Pipedream and Industroyer2 highlights how quickly changes can wash over the threat landscape for ICS networks, which still tend to be highly specialized, relatively isolated and difficult to target. The back-to-back threats have also appeared as Russia continues its invasion of Ukraine in a hybrid war that has drawn White House warnings about potential cyberattacks on U.S. targets.
Industroyer2, aimed squarely at disrupting Ukraine’s power grid, puts an exclamation point on Russia’s willingness to target Ukrainian civilian networks and could upend some expert assessments about the extent of Moscow’s cyber aggression in the wider conflict. And while Pipedream has not been attributed to the Russian government, its sophistication has drawn comparisons to past Russian attack tools like Triton.
Industroyer2 is a brutish tool replete with disk wipers for Windows, Linux, and Solaris operating systems, as ESET researchers wrote in an analysis of the malware. It incorporates the IEC-104 communications protocol used by certain substations and protective relays, which act like circuit breakers for big electricity networks. And it takes pains to cover up its tracks as it manipulates specific ICS components to force a power outage.
Investigations into the malware samples are ongoing, but both are believed to have been developed by state-backed hackers with a deep understanding of control system networks, and Ukraine has attributed Industroyer2 to Russia. ICS and SCADA systems, like those that support power grids worldwide, often use their own sets of arcane protocols and network architectures that vary widely from site to site.
Pipedream, by contrast, has not been deployed in an actual attack, cybersecurity researchers say. But that doesn’t make it any less menacing. Cybersecurity company Mandiant, which tracks Pipedream by the name Incontroller, warned in its own analysis today that the tool “represents an exceptionally rare and dangerous cyber-attack capability.” That obscurity is part of the reason ICS-specific cyberthreats are incredibly rare — just seven malware strains have ever been found to specifically target control systems, counting Industroyer2 and Pipedream, according to Dragos.
Pipedream zeroes in on programmable logic controllers — a type of rugged computer used for industrial processes like managing the flow of electricity or natural gas — with an eye toward a handful of specific industrial devices produced by Omron and Schneider Electric. “PIPEDREAM could be successful — it’s extremely capable and flexible. It was found before it was deployed in the target networks though,” Robert M. Lee, CEO of industrial cybersecurity firm Dragos, told README, calling its discovery “a huge win for defense.” (2)
On Wednesday, April 13th (with revisions on Thursday, April 14th) the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices.
The agencies urged energy sector organizations and other critical infrastructure facilities to implement the detection and mitigation recommendations provided in the alert.
APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:
The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.
The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.
In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.
Note: these mitigations are provided to enable network defenders to begin efforts to protect systems and devices from new capabilities. They have not been verified against every environment and should be tested prior to implementation.
DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:
Direct Link to APT Cyber Tools Targeting ICS/SCADA Devices | CISA
PDF Version of Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices
Private Sector Advisories include:
Mandiant’s Blog – INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
Dragos’ Blog – CHERNOVITE’S PIPEDREAM: Malware Targeting Industrial Control Systems
Our friends over at the Record have done some solid reporting as well:
US agencies warn of custom-made hacking tools targeting energy sector systems
Researchers find new malware variant after stopping attack on Ukrainian energy provider
In the current climate created by the viable threat of a Russian cyberattack on the U.S., if you are preparing your organization or your individual household to mitigate risk please see OODA CTO Bob Gourley’s Guide For Business: Final checks for reducing risks in the face of nation-state cyber-attacks based on White House advisory. In the post, Bob itemizes OODA recommendations for:
OODA is here to help. OODA members can contact us by replying to any of our emails or using this form.
The CISA Shields Up! Initiative
Preparing for Cyber Attacks: The CISA Online Resource Hub
CISA, FBI Issue Joint Cybersecurity Advisory for SATCOM Ecosystem Following Viasat Cyberattack
CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks
Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates
C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine
At Black Hat 2021, CISA Director Jen Easterly launches CISA JCDC (Joint Cyber Defense Collaborative)
It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence