If you’re reading this, you’re most certainly a user of industrial control systems (ICS) to control your production operations or, at the very least, these technologies are critical components on the machines you use to produce your goods. That’s why you need to heed the latest alert from the Cybersecurity and Infrastructure Agency (CISA) about cybersecurity tools targeting ICS/SCADA devices.
According to the alert, “The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
- Schneider Electric programmable logic controllers (PLCs),
- Omron Sysmac NEX PLCs, and
- Open Platform Communications Unified Architecture (OPC UA) servers.
The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”
Though this alert is primarily aimed at critical infrastructure organizations (e.g., power generation), the technologies listed in the alert are used broadly across industry verticals. Therefore, companies of all types could be impacted. As we saw with the WannaCry and NotPetya attacks a few years ago, the targeting of specific operations by these attacks does not protect non-targeted companies or verticals from these attacks.
A key aspect of this alert is that it highlights three specific steps users can take to help protect against these latest attacks (see the information in the box at the top right side of the alert).
|Read more about the industry-wide impacts of the WannaCry and NotPetya cybersecurity attacks.|
Eric Byres, CISA ICS advisor and chief technology officer at ICS software cybersecurity firm aDolus Technology says, “This is a classic case of why we need better supply chain transparency and analytics if we want to secure our critical infrastructure from nation states. Many of the underlying issues aren't in the software Schneider's engineers created, it is in the third-party code supplied by a German company called CoDeSys Group. They provide CoDeSys Runtime, a framework designed for executing industrial control system software. According to information that used to be [on the] CoDeSys website in 2019 (now removed), the CoDeSys Runtime product has been used in more than 350 devices from dozens of different OT vendors, and is widely used in the energy sector, industrial manufacturing, and Internet of Things systems.”
This could lead industrial users to believe that, if they use Schneider software, they should then look for the vulnerabilities assigned to Schneider products in the National Vulnerability Database. But Byres says companies that do this “won't find a thing [because] the vulnerabilities are all listed as CoDeSys issues. For example, CVE-2022-22519 doesn't mention a single product that is affected.”
Byres adds that this CISA Alert hints that this alert is “just the tip of the iceberg” in its statement that: This capability may work against other CoDeSys-based devices depending on individual design and function, and this report will be updated as more information becomes available.
“There are thousands of industrial facilities across the nation who believe they have dodged the bullet because they don't use Schneider or Omron products. They haven't dodged anything—they are just sitting ducks to these nation-state attackers,” he says.