US authorities have warned of malware targeting programmable logic controllers (PLCs) and servers in industrial control systems.
The Pipedream malware is modular software that can attack Schneider Electric and Omron PLCs as well as Windows-based OPC Unified Architecture server boards. These are widely used in process control systems as well as the electricity grid.
“Dragos identified and analyzed Pipedream’s capabilities through our normal business, independent research, and collaboration with various partners in early 2022,” said US security firm Dragos. “Dragos assesses with high confidence that Pipedream has not yet been employed in the wild for destructive effects.”
The malware was developed by a consortium known as Chernovite, using the native functions of the electronics, rather than any vulnerability. Dragos warns that other PLC systems could also be vulnerable via other modules developed by Chernovite.
“Chernovite’s Pipedream can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics,” said Dragos. “It can manipulate a wide variety of industrial control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA). Together, Pipedream can affect a significant percentage of industrial assets worldwide. It is not currently taking advantage of any Schneider or Omron vulnerabilities, instead it leverages native functionality.
“While Chernovite is specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and Pipedream’s functionality could work across hundreds of different controllers,” it said.
The US joint advisory from the National Security Agency and the FBI recommends recommend all organizations with ICS/SCADA control systems implement a number of measures to protect against Pipedream attacks,
These include isolating ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters as well as enforcing multifactor authentication for all remote access to ICS networks and devices and regularly changing strong passwords for the equipment.
It recommends limiting network connections to only specifically allowed management and engineering workstations and protecting the management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). It also suggests using continuous monitoring to alert operators on malicious indicators and behaviours, watching internal systems and communications for known hostile actions and unexpected data movement. The Cybersecurity and Infrastructure Security Agency (CISA) in the US has an open-source Industrial Control Systems Network Protocol Parser (ICSNPP) for such detection.
Related malware articles
- Malware targets electricity grids
- New IoT botnet ‘puts others to shame’
- Device protects cars against ransomware attacks
- AI cybersecurity delivers advanced threat detection
Other articles on eeNews Europe
- Europe teams on next generation FD-SOI technology
- Intel launches blockchain chip
- ASML ships EUV scanner to Irish fab
- Bosch buys UK driverless car software startup Five.ai
- Siemens teams for EDA on quantum computers