Since Stuxnet was used to damage Iran’s nuclear aspiration in 2010, there has been a dawning realisation that malware is not just a threat in cyberspace – it can cause real world damage to industrial systems and even have fatal consequences.  In 2016 Russia used Industroyer malware to turn off the electricity in Kyiv – and tried the same again earlier this month.

When it comes to building industrial control systems, especially in the oil and gas and energy sector – the leading suppliers of programmable logic controllers (PLC) and the related components that control power grids and processing plants are Schneider Electric and OMRON.

PIPEDREAM is a new and sophisticated malware toolkit that targets these systems and the more widely used Codesys software that is used to control them (and the systems from other vendors).

This week CISA published an advisory warning of this new threat against Industrial Control Systems and SCADA devices:

The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments…. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

What is PIPEDREAM

According to the detailed analysis provided by security firm Dragos, PIPEDREAM is the seventh malware discovered that specifically targets Industrial Control Systems and appears designed to disrupt industrial processes.  Unusually, the malware has been identified and analysed but it is not thought to have been used in any known attacks, yet.

PIPEDREAM is a toolkit that provides a wide range of functionality for malicious actors. It can be used to:

• Manipulate the speed and torque of servo motors causing damage or destruction and potential loss-of-life
• Perform rapid reconnaissance of ICS networks using well known ports, HTTP banners and proprietary ICS protocols to identify network components
• Brute force passwords on PLCs using Codesys software and perform Denial of Service attacks against a controller
• Remotely interact with Omron PLCs to change operating modes (turn things on and off), change configuration and wipe the PLCs memory
• Prevent operators in control rooms from viewing the status of industrial systems, limiting their ability to recover dangerous situations
• Delay recovery after an attack by rendering process controllers inoperative and requiring physical replacement
• Use PLCs as proxies in OT environments potentially allowing firewalls, DMZ and threat detection systems to be bypassed

PIPEDREAM is a comprehensive set of tools, covering over 80% of MITRE ATT&CK tactics for Industrial Control Systems, according to Dragos who liken it to a Metasploit designed for Operational Technology systems.

PIPEDREAM targets ICS and SCADA devices made by Schneider Electric and Omron because they are leaders in their field.  The report by Drogos does not find any specific vulnerabilities in those systems as the malware takes advantage of the native functionality of the ICS environment – a living off the land mode of operation – to achieve its objectives.  PIPEDREAM is also not limited to Schneider Electric and Omron as it also targets the Codesys software environment used by many vendors as well as the OPC UA architecture which manages the way various ICS components talk to each other.

How to defend ICS systems

The CISA advisory contains several recommended mitigations which organisations that have Industrial Control Systems and Operational Technology deployments should careful consider evaluating for use in their environment:

• Isolate ICS/SCADA systems with strong perimeter controls from the rest of the corporate network and DMZ/Internet zones.
• Locate engineering workstations outside the ICS network in their own isolated segment between the corporate network and the ICS segment (this is because it is thought the engineering workstations are often used as a beachhead to enter the ICS systems)
• Enforce multi-factor authentication for all (remote) access to ICS networks
• Limit the ICS/SCADA network connections to only specifically allowed management and engineering workstations
• Develop and test a cyber incident response plan
• Regularly change the passwords on ICS/SCADA devices and systems, using strong unique passwords for every device
• Implement and monitor robust log collection from all devices within the ICS/SCADA network and management network.
• Limit the attack surface by only installing necessary applications and modules on controllers and management systems
• Enforce the principle of least privilege for all accounts and limit the use of admin accounts.
• Investigate potential malicious activity indicated by: denial of service or severing of connections, loss of function requiring a reboot and delayed response to operator instructions.

Further Resources

These resources contain advice on securing Operational Technology and Industrial Control Systems

• Layering Network Security Through Segmentation,
• Stop Malicious Cyber Activity Against Connected Operational Technology, and
• NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems.