US warns of cyber threat to specific industrial machines

A new Joint Cybersecurity Advisory (CSA) from the United States government released on Wednesday warns that Advanced Persistent Threat (APT) actors (read: cybercriminals) have devised a way to gain full system access to multiple industrial control systems (ICS) and supervisory control. and data acquisition devices (SCADA), targeting specific models of programmable logic controllers (PLCs) manufactured by Schneider Electric and OMRON.

The industrial cybersecurity company Dragos is among the organizations that have contributed to the CSA. “The initial targeting appears to be specific to liquid natural gas and electricity,” says Robert M. Lee, CEO of Dragos. “However, the nature of the malware is that it works in a wide variety of industrial controllers and systems. The malware initially targets Schneider Electric and Omron controllers, however, there are no vulnerabilities specific to these product lines. .”

“Make no mistake, this is an important CISA alert. Industry organizations need to pay attention to this threat,” said Tim Erlin, vice president of strategy at Tripwire. “It is important to note that while this alert calls for tools to access specific industrial control systems, there is a broader threat that involves more of the industrial control environment.”

Cyber ​​threats specific to specific industrial machines

According to the CSA, cybercriminals have developed tailor-made tools to specifically target the machines in question. Once machines are compromised, cybercriminals can download malicious code, change device settings, and back up device content, among other things a company doesn’t want to deal with.

Practical concerns for the Schneider Electric devices in question include losing the ability to connect your network to PLCs; cut connections to invite reconnections that require entering credentials that cybercriminals can then steal, and crash automatons outright until they are restarted and recovery operations are complete.

For OMRON devices, cybercriminals can install hostile software to enable further attacks; back up and restore files to and from the PLC, and send commands directly to the PLC to manipulate files and capture data.

Cybercriminals have also developed a tool to exploit a known vulnerability in a specific ASRock-signed motherboard driver. The tool adds malicious code to Windows systems, opening the door for cybercriminals to break into general computer networks and wreak havoc in IT or OT environments.

Finally, the CSA cites new vulnerabilities for servers running the Open Platform Communications Unified Architecture (OPC UA).

Embrace Point Defense Early

The CSA includes many strategies to mitigate risk before cybercriminals have a chance to attack the industrial systems in question, including the usual advice on multi-factor authentication, changing passwords frequently and strengthening them, and close monitoring of all machines cited as being particularly at risk. The CSA also provides an abundant list of more advanced preventative actions for IT professionals.

“Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations need to build their defenses accordingly,” Erlin adds. “The joint advisory recommends isolating affected systems, as well as using endpoint discovery, configuration and health monitoring, and log analysis. apply a patch.”

Marty Edwards, Vice President of OT Security at Tenable and former Director of CERT under President Barack Obama added, “The joint advisory released by the US government on advanced tools used to target industrial control systems and environments operational technology is of concern. If attackers are successful, the consequences of these intrusions are vast and can be potentially devastating. When your adversary uses advanced tools to potentially disrupt your system, organizations must first have the people, processes, and technology in place to harden their environments and detect any malicious activity.

Edwards added that “actors are apparently capable of directly interacting with and manipulating the OT devices referenced in the advisory, so it is imperative that asset owners and operators continuously monitor any malicious communication to these devices as well as any change in the configuration or logic inside the devices in real time. The advisory says actors could elevate privileges, move laterally in an OT environment, and disrupt critical devices or functions. Asset owners and operators should have systems in place to monitor credential abuse and/or discover accounts that violate the principle of least privilege.

Justin Fier, VP of Tactical Risk and Response at Darktrace, remarked that this news represents a major step up from previous relatively unsophisticated DDoS attacks, and it’s particularly interesting to see that Sandworm has once again raised the head.

“CISA and other Five Eyes government agencies have been anticipating an attack like this and issuing sophisticated warnings for some time. Ukraine has faced this type of threat for years and prepared with the assistance from global allies, including the United States,” Fier said. “While we cannot confirm these allegations, we hope governments around the world take this seriously and realize that the same type of Any attack on Ukrainian soil could also happen anywhere else, be replicated by other cybercriminal groups or nation states, or have ripple effects on the global supply chain. In this ongoing “world wired war” we must worry not only about the prospect of an incoming warhead, but also about cyberattacks destroying infrastructure. ue organization potentially at risk to strengthen its defences: it will have to fight fire with fire, by arming itself with the latest technologies. You go to war with the army you have, not the one you want to build, and organizations must prepare now.

About the Author: Dennis Scimeca is a seasoned technology journalist with particular experience in vision systems technology, machine learning/artificial intelligence, virtual and augmented reality, and interactive entertainment. He has experience writing for consumers, developers and B2B audiences with bylines at many highly reputable specialty and consumer outlets.

At IndustryWeek, and a sister publication Endeavor Business Media to Security Technology Executive, he covers the continued expansion of new technologies in the manufacturing world and the competitive advantages gained by learning and using these new tools. It also seeks to connect manufacturers by sharing stories of their challenges and successes using new technologies. If you would like to share your story with IndustryWeek, please contact him at [email protected]

Note: SecurityInfoWatch.com editors have been added to this report. Link to the original story in IndustryWeek here.

James G. Williams