Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

US Intelligence Agencies: New Malware Kit Specifically Targets Industrial Control Systems, Crafted by State-Backed APT Groups

Tuesday, April 19, 2022

Categories: ASCF News Cyber Security

Comments: 0

Source: https://www.cpomagazine.com/cyber-security/us-intelligence-agencies-new-malware-kit-specifically-targets-industrial-control-systems-crafted-by-state-backed-apt-groups/

Photo: CPO Magazine

United States intelligence agencies have issued a public warning indicating that advanced persistent threat (APT) groups have developed a “mutli-tool” malware kit that targets a commonly used range of industrial control systems. There is no indication as of yet that any systems have been exploited by the malware, but a wide range are potentially vulnerable.

The malware attacks programmable logic controllers (PLCs) made by Schneider Electric and OMRON that are commonly used as a bridge between industrial environment components and computer networks, as well as the Open Platform Communications Unified Architecture (OPC UA) servers used to communicate with controllers. The malware toolkit essentially grants the attacker free run of these industrial control systems, giving them the option of taking control of functions or simply “bricking” the devices. It can also be used to move further into networks by taking over workstations that run Windows.

Tim Erlin, VP of strategy at Tripwire, summarized the seriousness of this announcement and the effort expected from impacted companies: “Make no mistake, this is an important alert from CISA. Industrial organizations should pay attention to this threat … It’s important to note that while this alert calls out tools for gaining access to specific industrial control systems, there’s a bigger picture threat that involves more of the industrial control environment. Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations should build their defenses accordingly. The joint advisory recommends isolating affected systems, as well as employing endpoint detection, configuration and integrity monitoring, and log analysis. This isn’t a matter of simply applying a patch.”

Highly adaptable “Pipedream” malware threatens many industrial environments
The joint cybersecurity advisory on industrial control systems has been issued by The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI). The agencies did not define exactly which APT groups are using the malware, but said that more than one have exhibited the capability.

The malware kit is designed to compromise about half a dozen models of Schneider Electric MODICON and MODICON Nano PLCs, about the same amount of OMRON Sysmac NJ and NX PLCs, and the OPC UA servers. It also includes the capability to exploit a known vulnerability in an ASRock motherboard driver to take over the Windows workstations often used in conjunction with this equipment, creating a path for privilege escalation and lateral movement into the organization’s IT network.

The agencies are urging all critical infrastructure companies, particularly those in the energy sector, to implement an immediate series of steps to protect their industrial control systems: enforcing remote access to all ICS networks, set up a schedule for regularly resetting all ICS/SCADA device and system passwords, and put a continuous OT monitoring solution in place that logs and alerts when malicious indicators and behaviors are detected.

Industrial control systems at risk of complete takeover, permanent damage
The malware kit is dangerous not just due to the amount of industrial control systems it can potentially exploit, but also due to its ease of use. It includes the capability to scan for vulnerable devices and fetch necessary information about them, it is modular and highly automated to adjust to the particular target device, and it mirrors the actual control interface of the device being attacked. All of this appears designed specifically to allow larger amounts of lower-skilled attackers the ability to get in on the action.

The malware kit also appears to offer multiple automated methods of attempting to compromise industrial control systems once they are found. Attackers can conduct a brute force password guessing attempt against the PLCs, or sever the connections of existing users and attempt to capture credentials when they log back on. There are also at least two different forms of denial of service attack available even if a login has not been compromised, allowing the attacker to cut off network communications to the PLC or use a “packet of death” attack that knocks it offline until a reboot and power cycle is conducted.

In addition to the immediate emergency mitigation measures already listed, the agencies recommend further defensive measures that may take longer to roll out. These include changing perimeter controls to Isolate ICS/SCADA systems and networks from corporate and internet networks, review and practice related cyber incident response plans, ensure offline backups are up to date and regularly scheduled, and ensure that all installed applications are necessary for operation (and remove those that are not).

Nick Tausek, Security Automation Architect at Swimlane, adds: “In addition to this, leveraging low-code security automation allows companies to take a step further in their cybersecurity best practices by centralizing detection, investigation and response capabilities. With all-encompassing security platforms that automate tedious routines, the chance of both human error and outsider threats are brought down to a minimum and device integrity remains at its maximum.”

Security firm Mandiant additionally warns that the ASRock vulnerability used to compromise Windows workstations is not something that anti-malware software will pick up, given that it is in the Windows kernel.

Naturally, there is speculation about exactly which APT groups have this capability given that the announcement did not provide any direct clues. Suspicion will immediately drift to Russia, which has a long history of meddling in the critical infrastructure of other countries and which the Biden administration recently issued a separate warning about. Ukraine’s CERT also recently announced that it found a previously unknown piece of malware in industrial control systems that appeared to be aimed at causing power outages in the country. However, the assumption that the malware belongs to a state-sponsored group is based on its aims, complexity and the amount of funding it would have taken to create it rather than any known concrete links to a particular country.

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.