Possible vulnerable devices include Schneider Electric and OMRON controllers and servers that comply with the OPC Unified Architecture. Credit: piqsels.com Key US government security organizations are warning that industrial control system (ICS)/supervisory control and data acquisition (SCADA)-based networks are being threatened by bad actors armed with custom software tools. The Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint warning that certain advanced persistent threat (APT) actors have shown the ability to gain full system access to compromised ICS/SCADA systems. The alert did not identify which groups were making the threats, but it did recognize Dragos, Mandiant, Microsoft, Palo Alto Networks and Schneider Electric for helping put together the warning. Dragos has posted a paper about part of the threat. ICS and SCADA systems typically manage and control large industrial systems and utility networks such as power grids, gas pipelines and water supplies. The custom tools referred to in the warning enable attack groups to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network, CISA stated. “Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” CISA stated. “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.” The warning said the threat actors had exhibited the capability to gain full system access to specific devices including: Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078. OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT. OPC Unified Architecture (OPC UA) servers. The tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices, CISA stated. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. “Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities,” CISA stated. “The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.” Industrial SCADA and ICS systems have been threatened for years by state actors and others. Most recently threats have emanated from Russia as it faces world-wide sanctions and isolation because of its war against Ukraine. Reports this week tied Russian hackers to a failed attack on Ukraine’s electric grid. In March the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics employee for their involvement in intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies between 2012 and 2018. “Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.” DOE, CISA, NSA and the FBI recommend all organizations with ICS/SCADA devices harden their systems by: Isolating ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. Limiting ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations. Enforcing multifactor authentication for all remote access to ICS networks and devices whenever possible. Changing all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute-force attacks and to give defender monitoring systems opportunities to detect common attacks. Maintaining known-good offline backups for faster recovery upon a disruptive attack, and conducting hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. e backups. Related content news Hitachi Vantara launches unified storage platform Virtual Storage Platform One provides on-premises and cloud storage of both structured and unstructured data. By Andy Patrizio Apr 26, 2024 2 mins Enterprise Storage Data Center analysis Extreme demos AI-based network assistant Extreme AI Expert can answer network questions, troubleshoot operations, and create alerts for conditions such as network degradation or Wi-Fi dead spots. By Michael Cooney Apr 25, 2024 4 mins Network Management Software news Cradlepoint unveils 5G SASE platform for mobile, distributed environments NetCloud SASE integrates cellular SD-WAN and security capabilities into a cloud-based platform to secure and mitigate risk across managed and unmanaged devices. By Denise Dubie Apr 24, 2024 3 mins 5G SASE SD-WAN analysis IBM drops $6.4B for HashiCorp and its multicloud automation technology HashiCorp's automation technology will fit into IBM’s Red Hat, watsonx, data security, IT automation and consulting businesses. By Michael Cooney Apr 24, 2024 3 mins Data Center Automation Network Management Software Cloud Computing PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe