US authorities have warned of malware targeting programmable logic controllers (PLCs) from Schneider Electric and Omron in electricity grids and other industrial control systems. The Pipedream malware is modular software that can attack Schneider Electric and Omron PLCs as well as Windows-based OPC Unified Architecture server boards.
US authorities have warned of malware targeting programmable logic controllers (PLCs) from Schneider Electric and Omron in electricity grids and other industrial control systems.
The Pipedream malware is modular software that can attack Schneider Electric and Omron PLCs as well as Windows-based OPC Unified Architecture server boards.
A joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and the FBI in the US flags the Schneider Electric MODICON and MODICON Nano PLCs, including the TM251, TM241, M258, M238, LMC058, and LMC078 as well as the Omron Sysmac NJ and NX PLCs with the NEX NX1P2, NX SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-E. It also warns that other modules could attack other PLCs.
The malware was detected by US security firm Dragos earlier this year but has not been found in the wild. According to Dragos, it was developed by a consortium known as Chernovite, using the native functions of the electronics, rather than any vulnerability.
Malware targets electricity grids
New malware targets power grids, say researchers
Cryptocurrency malware attack on SCADA network
“Chernovite’s Pipedream can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics,” said Dragos. “It can manipulate a wide variety of industrial control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA). Together, Pipedream can affect a significant percentage of industrial assets worldwide. It is not currently taking advantage of any Schneider or Omron vulnerabilities, instead it leverages native functionality.
“While Chernovite is specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and Pipedream’s functionality could work across hundreds of different controllers,” it said.
The joint advisory recommends recommend all organizations with ICS/SCADA control systems implement a number of measures to protect against Pipedream attacks,
These include isolating ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters as well as enforcing multifactor authentication for all remote access to ICS networks and devices and regularly changing strong passwords for the equipment.
It recommends limiting network connections to only specifically allowed management and engineering workstations and protecting the management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). It also suggests using continuous monitoring to alert operators on malicious indicators and behaviours, watching internal systems and communications for known hostile actions and unexpected data movement. The CISA has an open-source Industrial Control Systems Network Protocol Parser (ICSNPP) for such detection.