CISA Alert on ICS and SCADA Devices Highlights Growing Enterprise IoT Security Risks

On April 13, the Department of Energy (DoE), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) issued a Joint Council on Cybersecurity to warn that certain Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices may be targeted by Advanced Persistent Threat (APT) actors who have the ability to gain full access to the system.

The alert warned that vulnerable products include Schneider Electric PLCs, OMRON Sysmac NEX PLCs and Open Platform Communications Unified Architecture (OPC UA) servers.

Once on the operational technology (OT) network, APT actors can use certain custom tools to find vulnerable devices, then exploit them and then take control of them.

The advisory also noted a critical issue with Windows-based engineering workstations. Systems in the OT environment, or even on the IT side, can be compromised using an exploit targeting vulnerable motherboard drivers.

Use of these techniques, in significant and disturbing ways, could allow APT actors to elevate their privileges, move laterally in the OT environment to other devices, and disrupt or crash critical devices.

With recent events, such as the Colonial Pipeline attack, which saw the entire OT environment shut down (despite not even originating in OT devices), as well as the rise of ransomware and the threat from politically motivated national state actors, those who need critical national infrastructure to act fast.

The DoE, CISA, NSA, and FBI urge organizations, especially those in the energy industry, to implement detection and mitigation recommendations to detect APT activity and harden their ICS/SCADA devices .

The board credited security companies such as Dragos, Mandiant and Palo Alto Networks for their contributions leading to the board. Draco revealed it has been analyzing the malware (dubbed PIPEDREAM) since early 2022.

Needless to say, threat actors will continually find a way to penetrate IoT and OT networks; This review is not the first of its kind and will not be the last.

The tricky problem with OT networks is their average age (often spanning decades), their complex history (evolving organically with minimal planning), and the demanding nature of the devices. Traditionally, OT environments did not connect to the IT network as they do today – they were physically separated and disconnected from the outside world, as well as the business and all IT-related functions. This is called an “air gap”, but it is now a thing of the past.

Digital transformation and connecting OT systems and other devices to the network expands the attack surface and opens up industrial environments to attackers. But the business priorities driving this transition, along with the nature of legacy systems and devices that must be constantly available, mean that security is often left behind.

The alert highlights how important it is for companies to be prepared to respond quickly and thoroughly to these types of IoT and OT security advisories, before adversaries can take advantage of them.

It may seem trivial, but first call points include changing all passwords and maintaining offline backups, which can help mitigate brute force attacks and facilitate quick recovery in the event of a disaster. offensive. Those working in industrial environments should ensure they have a strong cybersecurity posture, including adequate visibility and monitoring, as well as perimeter and access controls.

The alert notes the importance of collaboration between IT, cybersecurity and operations stakeholders, which is particularly important to ensure that cybersecurity is applied effectively in these complex IoT and OT environments with their own requirements. unique.

Source link