The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, Department of Energy (DoE), and National Security Agency (NSA), is warning that advanced persistent threat (APT) actors are seeking to gain full access to industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, CISA warned in a cybersecurity advisory April 13.
CISA and its partners are warning that APT actors have made custom tools to target ICS and SCADA systems. The agencies “urge critical infrastructure organizations,” especially those in the energy sector, to immediately implement mitigation and detection measures included in the warning and immediately.
“The APT actors have developed custom-made tools for targeting ICS/SCADA devices,” the warning said. “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.”
CISA also warned that “additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities.”
The advisory warns that tools have been developed to exploit Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLC), OMRON Sysmac NJ and NX PLCs, and OPC Unified Architecture Servers.
CISA said the APT actors have tools that enable them to target devices with highly automated exploits, allowing lower-skilled APT cyber actors to appropriate the skill of higher-skilled APT actors. Additionally, the APT actors could deploy a tool that, ultimately, would allow them to move laterally within OT and IT environments.
CISA suggests that organizations isolate all ICS/SCADA from corporate and internet networks with strong perimeter security, enforce multi-factor authentication for all ICS networks and devices, and use a properly installed continuous monitoring solution for OT systems that includes logging and alert of “malicious indicators and behaviors.”
Additionally, CISA suggests organizations change passwords to all ICS/SCADA devices consistently on a scheduled basis “to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.”