New malware developed to disrupt or destroy industrial processes is a threat to critical industries. Here’s what you can do to mitigate risk.
Amid escalating global threats to critical infrastructure, a new malware specifically developed to disrupt industrial processes was discovered. PIPEDREAM is the seventh publicly known ICS-specific malware.
Since early 2022, Dragos has been analysing the capabilities of the PIPEDREAM malware, which was developed by a new threat group designated CHERNOVITE. Dragos assesses with high confidence PIPEDREAM was created for use in disruptive or destructive attacks against industrial control systems (ICS).
PIPEDREAM was discovered before it was employed, providing defenders with a unique opportunity to defend ahead of the attack. While initial targeting appears to have been liquid natural gas and electric utilities, the nature of this malware is that it can work in a wide variety of industrial controllers and systems.
PIPEDREAM is a malware toolkit composed of multiple utilities that can be used independently. Several components of PIPEDREAM target Schneider Electric and Omron controllers. There are, however, no vulnerabilities specific to those product lines. PIPEDREAM components also leverage popular ICS network protocols such as ModbusTCP and OPC UA. This malware is sophisticated in that it takes advantage of native functionality in operations, making it more difficult to detect and possible for it to spread from controller to controller.
The developers of PIPEDREAM are sophisticated, and CHERNOVITE demonstrates an advanced understanding of ICS hardware and protocols. However, a robust defence against this threat is possible by applying fundamental ICS cybersecurity practices such as a defensible architecture, an ICS-specific incident response plan, and ICS network monitoring.
Review Incident Response Plans – get moving now, not later
Incident Response Plans (IRPs) and Collection Management Framework (CMF) are the starting point for incident response preparation and response. We recommend that asset owners have an OT-specific IRP. If you do not have one in place, use this as an impetus to construct one. While the IRP is being developed, defenders should gather insights from those responsible for the process environment and those who will be working on automation systems during restoration.
The CMF is a process that documents and institutionalises data sources available to defenders, including what information is available and how long that data is retained. This provides the baseline for identifying impacted assets and searching for potential threat behaviours. If you do not have a CMF, start building one and identify data sources that contain asset information and OT network traffic logs.
Find and address impacted systems
Incident Response (IR) begins with evidence collection. Defenders need to ensure quality collection capability is in place for the identified targeted systems. Teams should understand their roles and responsibilities and communicate with corresponding teams. Educate OT operations staff on the potential for cyber impacts on their environments, and ensure they are aware that they should report any concerns for investigation. Operations and automation staff should consider cybersecurity in their decisions concerning odd behaviours observed.
Establish a solid baseline of known “good” configurations
For Schneider and Omron PLCs specifically, having a full set of known “good” project files for the systems potentially affected by PIPEDREAM can help reduce the time for analysis of potentially malicious logic files found on Engineering Workstations (EWS). Operators should also ensure personnel are open to considering that a cybersecurity incident is a potential root cause during a fault analysis. This requires the OT operations team to quickly loop in the IR team during a fault analysis, with the IR team collecting forensic host and network data during any incident analysis to verify or rule out any malicious cyber activity that might have led to the malfunction.
Brief your Operations Team to be on the lookout
Operations teams are often the first line of detection during abnormal process changes or conditions. Dragos recommends OT security teams talk to operations employees to understand how to manage the environment under emergent operational conditions, especially under a loss of view condition. Teams should know when and how to safely shut down critical processes when HMI information is tampered with or simply unavailable.
Update and mature your Incident Response Plan
If you haven’t tested your disaster recovery or OT Incident Response Plans recently, you should consider facilitating a discussion-based scenario, such as a Tabletop Exercise, to ensure team members are well versed on the IRP, their roles, and overall preparedness for a potential incident. If you have limited internal incident response capabilities or lack an incident response plan tailored to ICS/OT, engage a trusted ICS incident response provider for a retainer.
For Dragos’s complete analysis on CHERNOVITE and the PIPEDREAM malware and for actionable guidance on what you can do to mitigate risk from an attack, download this whitepaper.