- New malware can enable full access to control systems and SCADA devices.
- Attackers could move around to other systems within an operations technology environment and disrupt critical devices or functions.
- This new cybersecurity alert can affect manufacturers and processors of all sizes.
- New Industrial Control System Security Threat
- Joint Cybersecurity Advisory: APT Cyber Tools Targeting ICS/SCADA Devices
- Securing Controls with Defense in Depth
|Read the transcript below:|
Welcome to Take Five with OEM. I’m David Greenfield, Director of Content, and today we’re going to look at a very specific cybersecurity alert from the U.S. government that all manufacturing and processing companies need to be aware of.
According to the alert: The Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation are warning that advanced persistent threat actors have the capability to gain full system access to multiple industrial control system and SCADA devices, including Schneider Electric PLCs, Omron Sysmac NEX PLCs, OPC UA servers, and Windows-based engineering workstations. And when this alert refers to these threat actors, they’re referencing un-named nation states. So these aren’t your garden variety hackers.
The alert notes that by compromising and maintaining full system access to control systems and SCADA devices, attackers could move around to other systems within an operations technology environment and disrupt critical devices or functions.
Though this alert is primarily aimed at critical infrastructure organizations, such as power generation, the technologies listed in the alert are used broadly across industry verticals. Therefore, companies of all types could be impacted. As we saw with the WannaCry and NotPetya attacks a few years ago, the targeting of specific operations by these attacks does not protect non-targeted companies from being impacted by them. In those instances, the malware was targeted at critical infrastructures in Europe and Russia, but U.S. operations of food maker Mondelez International and pharma manufacturer Merck were also affected.
A key aspect of this alert is that it highlights three specific steps users can take to help protect against these attacks: Those steps are: 1) Enforce multifactor authentication use for all remote access to control system networks; 2) Practice good password hygiene on all control system and SCADA devices; and 3) Use cybersecurity software that continuously monitors your operations network to detect anomalous behaviors and intrusions.
Before the break I mentioned how cyberattacks can impact companies that were not the initial targets of the attack. Eric Byres, an industrial control system advisor to the Cybersecurity and Infrastructure Security Agency and chief technology officer at the cybersecurity firm a Dolus Technology says that many of the underlying issues noted in this alert aren't in the software Schneider Electric's engineers created, it’s in the third-party code supplied by the CoDeSys Group, which provides CoDeSys Runtime, a framework designed for running industrial control system software. Byres says the CoDeSys Runtime product has been used in more than 350 devices from dozens of different operations technology vendors and is widely used in the energy sector, industrial manufacturing, and Internet of Things systems.
Byres notes that a basic reading of this alert could lead many manufacturers to believe that, if they use Schneider Electric’s software, for example, they should then look for the vulnerabilities assigned to Schneider Electric products in the National Vulnerability Database. But he says companies that do that won't find a thing because the vulnerabilities are all listed as CoDeSys issues.
To underscore this point, Byres says: There are thousands of industrial facilities across the nation who may believe they have dodged the bullet on this because they don't use Schneider or Omron products. But they haven't necessarily dodged anything based on that—without taking proper action, they could be sitting ducks to these nation-state attackers, he says.
So, my intent with this Take Five video is not to scare you, but to hopefully drive some specific cybersecurity actions to protect your operations. At the very least, following those three points noted in the alert that I mentioned earlier will go a long way toward protecting your network. So, the good news is that your systems can be well protected through a combination of good security practices and widely available cybersecurity technologies.