You are here

ICS/SCADA Threat Advisory – Joint Cybersecurity Advisory Regarding Advanced Cyber Tools Targeting ICS/SCADA Devices

ICS/SCADA Threat Advisory – Joint Cybersecurity Advisory Regarding Advanced Cyber Tools Targeting ICS/SCADA Devices

Created: Thursday, April 14, 2022 - 12:14
Categories:
OT-ICS Security, Security Preparedness

Summary: Given the current threat landscape and recent concerns for the potential of cyber attacks against critical infrastructure, members are highly encouraged to review the following Joint Cybersecurity Advisory regarding newly discovered custom attack tools designed to target ICS/SCADA devices and address accordingly. The current advisory warns of tools that have been created to cause damage to the following components:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
  • OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and 
  • OPC Unified Architecture (OPC UA) servers.  

If your utility uses the aforementioned components, it is critical that you review and address this advisory as soon as possible. However, while these components are the first three that have been identified, there is speculation that other manufacturers and components could be impacted. Therefore all utilities are encouraged to apply a risk-based approach to assessing this threat across your ICS/SCADA environment. These tools, which Mandiant and Dragos are tracking respectively as INCONTROLLER and PIPEDREAM, are the seventh ICS-specific malware to be identified since Stuxnet (the first).

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) - Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices – warning that unidentified advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices. Presently, actors have been observed with tools designed to cause excessive damage to Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. As this time, it is believed that this malware was identified before anything was deployed on U.S. systems. Also, while current information identifies three manufacturer’s components, it's possible those are not the only components impacted. For more threat details and suggested mitigations, visit CISA.

According to Mandiant, "INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON/TRISIS, which attempted to disable an industrial safety system in 2017; INDUSTROYER, which caused a power outage in Ukraine in 2016; and STUXNET, which sabotaged the Iranian nuclear program around 2010.”