Support

CISA, DOE, NSA and FBI Release Joint Cybersecurity Advisory on APT Cyber Tools Targeting ICS/SCADA Devices

April 14, 2022

Shields Up! (Still)

On April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (AA22-103A) to warn of an advanced persistent threat (APT) targeting industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including Schneider Electric PLCs, OMRON Sysmac NEX PLCs, and OPC UA servers.

Specific devices at risk include:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078
  • OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT
  • OPC Unified Architecture (OPC UA) servers

This advisory comes only three weeks after the White House released a statement advising US private sector organizations to strengthen their cybersecurity practices, citing intelligence reports indicating that Russia is looking at options for cyberattacks against the United States.

The alert reads, “APT actors have successfully used a specific toolset to target these ICS devices, which lets them scan for, compromise, and control affected devices. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”

CISA also provided an overview of behaviors to look for specific to each device manufacturer, which you can read more about here in the Advisory.

Critical infrastructure organizations, especially within the energy sector, should implement the following mitigations to minimize the chance of a successful attack:

  • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls and limit any communications entering or leaving ICS/SCADA perimeters.
  • Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
  • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
  • Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks.
  • Maintain known-good offline backups for faster recovery upon a disruptive attack and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
  • Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
  • Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
  • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
  • Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement.
  • Ensure all applications are only installed when necessary for operation.
  • Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
  • Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
  • Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.

The good news is that most of these controls are built into the Industrial Defender solution. For those of you reading this blog who are current Industrial Defender customers, you can rest a bit easier (but not too much!).

Here are some techniques that you can use within the product to meet the controls suggested by CISA:

CISA Mitigation

Industrial Defender Capability

Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls and limit any communications entering or leaving ICS/SCADA perimeters. ID monitors your network communications to validate that comms are behaving within ‘norms’ and not leaving the expected networks.
Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible. ID monitors the logs from your multifactor authentication solution to alert you when failed attempts occur. Brute force attempts can be detected by correlating time with failed attempts. For example, ‘send a P1 alert if there are more than 20 failed attempts in less than 10 seconds.’
Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations ID provides your team with a full asset management system to assist with developing and testing your IR plans.
Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks ID validates that the password settings for your endpoints are within guidelines. If you require users to change passwords, ID can ‘test’ that value to see if the endpoint has received those instructions or not and also identifies successful password changes in the log files.
Maintain known-good offline backups for faster recovery upon a disruptive attack and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. ID monitors the logs of your backup system so that you have clear visibility of all good backups, as well as any backup failures
Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations ID monitors your network communications to validate that comms are behaving within ‘norms’ and not leaving the expected networks.
Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured ID can be used to test/validate the settings on the endpoints. This includes Antivirus settings, as well as the AV signature updates (to make sure they are current).
Implement robust log collection and retention from ICS/SCADA systems and management subnets. This is a core functionality of Industrial Defender.
Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement This is a core functionality of Industrial Defender.
Ensure all applications are only installed when necessary for operation ID provides a rich set of asset inventory data. It is very easy to see all applications that have been installed in your environment and easy to query the system to search for any specific application.
Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates ID provides a full inventory of all local user accounts on the endpoints. This includes group memberships, so you can very easily see the privileges of all local users. ID can also monitor Active Directory users, if you choose to.
Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity ID monitors the CPU, memory usage, disk sage and bandwidth usage on endpoints. If ID sees any unusual activity, it immediately alerts your team.
Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system ID provides you with a detailed list of installed applications to help you quickly identify if you have any applications that use the ASRock driver.

As always, we are here to help. Current customers can open a support ticket in the support portal or using support@industrialdefender.com.

If you are not a customer and are interested in learning more about Industrial Defender, please reach out here: https://www.industrialdefender.com/contact-us/.