Dragos discovers new industrial control system malware
Cybersecurity company Dragos has found the seventh ever publicly known malware specifically developed to disrupt industrial control systems, named PIPEDREAM.
Dragos CEO and co-founder Robert M. Lee says the company has been analysing the malware since the start of this year.
“We track its developers as the threat group CHERNOVITE, which we assess with high confidence to be a state actor that developed the PIPEDREAM malware for use in disruptive or destructive operations against ICS,” he says.
“The initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.”
Dragos says PIPEDREAM is a modular ICS attack framework that can execute 38% of known ICS attack techniques and 83% of known ICS attack tactics.
The malware can manipulate various industrial control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers. It can also attack industrial technologies, including CODESYS,
Modbus, and Open Platform Communications Unified Architecture (OPC UA).
“PIPEDREAM takes advantage of native functionality in operations, making it more difficult to detect,” says Lee.
The malware allows CHERNOVITE to infiltrate engineering workstations, exploit process controllers, cross security and process zones, fundamentally disable controllers and manipulate executed login and programming.
Dragos says all of those capabilities can lead to a loss of safety, availability, and control of an industrial environment. That increases recovery time while potentially placing lives, livelihoods and communities at risk.
The company says mitigating this new threat will require companies to have a robust strategy, not simply applying cybersecurity fundamentals.
Monitoring industrial environments for all threat behaviours
Ensuring ICS visibility and threat detection includes all ICS North-South and East-West communications. Network edge and perimeter monitoring are insufficient for PIPEDREAM.
Maintain knowledge and control of all assets within Operational Technology (OT) environments, including details such as ensuring only known, good firmware and controller configuration files are in use.
Utilise a thoroughly researched and rehearsed industrial incident response plan that includes attempts by adversaries to deny, disrupt, and destroy processes.
“Uniquely, this malware has not been employed in target networks. This provides defenders with a unique opportunity to defend ahead of the attacks,” says Lee.
“While the malicious capability is sophisticated with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS specific incident response plan, and ICS network monitoring provide a robust defence against this threat.”
Previously discovered industry process malware include INDUSTROYER2, STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, and TRISIS.