Certain advanced persistent threat (APT) actors have exhibited the ability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) said in a joint Cybersecurity Advisory (CSA).
The modular architecture of Pipedream coupled with an ability to conduct highly automated exploits against devices makes Pipedream particularly dangerous. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device, according to the alert. Cybercriminals can scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents and modify device parameters, the agencies noted.
There is no evidence of compromise just yet. However, the CSA alert also notes Pipedream is designed to enable lower-skilled cyber actors to emulate higher-skilled actor capabilities. Cybersecurity teams should assume that cybercriminals are gearing up to operationalize ICS attacks in much the same way there are platforms that enable cybersecurity gangs to leverage ransomware platforms to launch cyberattacks at scale.
Concerns about the security of operation technology (OT) environments that typically revolve around some type of ICS can be traced back to the discovery of Stuxnet, a malicious worm that targeted supervisory control and data acquisition (SCADA) systems used by Iran as part of its nuclear weapons program.
Stuxnet functioned by targeting machines running Step7 software from Siemens on programmable logic controllers running Windows. In total, seven types of ICS malware have been discovered. This latest alert is potentially more concerning because it can impact most ICS platforms, including offerings from Omron, Schneider Electric, Modbus, CODESYS, and OPC UA. Pipedream itself is being attributed to a Chernovite APT group that specializes in developing ICS malware. Although not yet discovered anywhere, the time and effort required to find and remove instances of Pipedream could wind up being quite substantial.
In the meantime, cybersecurity teams in an ideal world would be well advised to become more familiar with OT platforms. Historically, many of the OT systems in place today were not initially connected to the Internet. With the rise of Internet of Things (IoT) applications, many more of them now are. However, the OT teams that are tasked with managing these platforms don’t tend to have a lot of cybersecurity expertise. They often are counting on IT security teams for help but the issue that arises is that IT security teams are already overwhelmed. The challenge is IT security teams simply don’t have the time or tools needed to take on responsibility for OT security as well.
The simple truth is OT security may get worse should automated ICS attacks become more common. In fact, it’s now little more than a race against time before the next flavor of Pipedream malware that makes it much simpler to launch these types of attacks at scale inevitably becomes much more widely employed.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.