Shields Up! (Still)
On April 13, 2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (AA22-103A) to warn of an advanced persistent threat (APT) targeting industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including Schneider Electric PLCs, OMRON Sysmac NEX PLCs, and OPC UA servers.
Specific devices at risk include:
- Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078
- OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT
- OPC Unified Architecture (OPC UA) servers
This advisory comes only three weeks after the White House released a statement advising US private sector organizations to strengthen their cybersecurity practices, citing intelligence reports indicating that Russia is looking at options for cyberattacks against the United States.
The alert reads, “APT actors have successfully used a specific toolset to target these ICS devices, which lets them scan for, compromise, and control affected devices. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”
CISA also provided an overview of behaviors to look for specific to each device manufacturer, which you can read more about here in the Advisory.
Critical infrastructure organizations, especially within the energy sector, should implement the following mitigations to minimize the chance of a successful attack:
- Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls and limit any communications entering or leaving ICS/SCADA perimeters.
- Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
- Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
- Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks.
- Maintain known-good offline backups for faster recovery upon a disruptive attack and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
- Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
- Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
- Implement robust log collection and retention from ICS/SCADA systems and management subnets.
- Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement.
- Ensure all applications are only installed when necessary for operation.
- Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
- Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
- Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.
The good news is that most of these controls are built into the Industrial Defender solution. For those of you reading this blog who are current Industrial Defender customers, you can rest a bit easier (but not too much!).
Here are some techniques that you can use within the product to meet the controls suggested by CISA:
As always, we are here to help. Current customers can open a support ticket in the support portal or using email@example.com.
If you are not a customer and are interested in learning more about Industrial Defender, please reach out here: https://www.industrialdefender.com/contact-us/.