APT Actors Have Demonstrated the Capability to Attack ICS/SCADA Systems

Certain Advanced Persistent Threat Actors (APT) have demonstrated they have the capability to gain access to industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, including Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers, according to a joint cybersecurity alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), Federal Bureau of Investigation (FBI) and the Department of Energy (DOE).

The APT actors have developed their own custom tools that can be used to automate scanning, compromising, and controlling ICS/SCADA devices. These modular tools allow them to conduct reconnaissance, upload malicious configurations and code, back up or restore device contents, and modify device parameters. They have also demonstrated the capability to compromise Windows-based engineering workstations within IT and OT environments, by exploiting a known vulnerability in an ASRock motherboard driver. Once access to ICS/SCADA devices has been obtained, the APT actors could elevate privileges and move laterally within OT environments, with the aim of disrupting critical devices and functions.

In the joint cybersecurity advisory, critical infrastructure organizations, in particular those in the energy sector, have been advised to implement mitigations to help them detect potentially malicious activity and to improve the security of their ICS/SCADA devices. These tools have been identified ahead of them being used in attacks, which gives network defenders the opportunity to take steps to harden their defenses against these new tools and tactics. The advisory provides a list of recommended mitigations that can be used to harden defenses and improve detection of these new capabilities should they be used. The tools and techniques represent a serious and particularly dangerous threat. The recommended mitigations should be implemented as soon as possible to secure ICS/SCADA systems.

Mitigations include isolating ICS/SCADA systems and networks from corporate and Internet networks, enforcing multi-factor authentication, ensuring a cyber incident response plan is developed and tested, making sure default passwords and changed and strong passwords are set on ICS/SCADA systems, limiting the network connections of ICS/SCADA systems to only specifically allowed management and engineering workstations, using OT monitoring solutions to identify IoCs and suspicious behaviors, and ensuring backups are created and maintained offline to allow systems to be restored promptly.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news