Possible vulnerable devices include Schneider Electric and OMRON controllers and servers that comply with the OPC Unified Architecture. Credit: piqsels.com Key US government security organizations are warning that industrial control system (ICS)/supervisory control and data acquisition (SCADA)-based networks are being threatened by bad actors armed with custom software tools. The Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint warning that certain advanced persistent threat (APT) actors have shown the ability to gain full system access to compromised ICS/SCADA systems. The alert did not identify which groups were making the threats, but it did recognize Dragos, Mandiant, Microsoft, Palo Alto Networks and Schneider Electric for helping put together the warning. Dragos has posted a paper about part of the threat. ICS and SCADA systems typically manage and control large industrial systems and utility networks such as power grids, gas pipelines and water supplies. The custom tools referred to in the warning enable attack groups to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network, CISA stated. “Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” CISA stated. “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.” The warning said the threat actors had exhibited the capability to gain full system access to specific devices including: Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078. OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT. OPC Unified Architecture (OPC UA) servers. The tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices, CISA stated. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. “Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities,” CISA stated. “The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.” Industrial SCADA and ICS systems have been threatened for years by state actors and others. Most recently threats have emanated from Russia as it faces world-wide sanctions and isolation because of its war against Ukraine. Reports this week tied Russian hackers to a failed attack on Ukraine’s electric grid. In March the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics employee for their involvement in intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies between 2012 and 2018. “Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.” DOE, CISA, NSA and the FBI recommend all organizations with ICS/SCADA devices harden their systems by: Isolating ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. Limiting ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations. Enforcing multifactor authentication for all remote access to ICS networks and devices whenever possible. Changing all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute-force attacks and to give defender monitoring systems opportunities to detect common attacks. Maintaining known-good offline backups for faster recovery upon a disruptive attack, and conducting hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. e backups. Related content analysis At RSA, Cisco unveils Splunk integrations, Hypershield upgrades At RSA Conference 2024, Cisco announced plans to integrate its XDR platform and Splunk’s SIEM, bolster its Hypershield AI-native security architecture, and add to its Duo access-protection software. By Michael Cooney May 06, 2024 5 mins Network Management Software Network Security Networking how-to Download our Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and Steve Zurier May 06, 2024 1 min Network Security Enterprise Buyer’s Guides news Network jobs watch: Hiring, skills and certification trends What IT leaders need to know about expanding responsibilities, new titles and hot skills for network professionals and I&O teams. By Denise Dubie May 06, 2024 6 mins Careers Data Center Networking feature IBM’s bets on AI and hybrid cloud pay off Three key differentiators of IBM’s AI and cloud offerings are cross-platform automation, integration with multiple clouds, and tie-ins to IBM professional services. By Jeff Vance May 06, 2024 9 mins Hybrid Cloud Network Management Software Cloud Computing PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe