The recent discovery of a malware framework — referred to as both Pipedream and Incontroller — targeting industrial control systems (ICS) highlights what can happens when everything goes right, ICS security professionals stressed at a panel discussion hosted by the Atlantic Council on April 22.
Unlike as in previous attacks, cybersecurity experts detected components of the malware, researching the attackers' techniques, and erected defenses against Pipedream, before it was even deployed. In its current state, the framework boasts capabilities that can scan for and communicate with some programmable logic controllers from Schneider Electric and Omron, as well as scan and profile unified communication servers based on the OPC Unified Architecture specification.
The expertise and capabilities encapsulated in the framework point to a nation-state actor as the source, making the coordinated investigation a significant win, and the best argument for the return on investment (ROI) of cybersecurity, says Danielle Jablanski, operational technology cybersecurity strategist at Nozomi Networks and a former consultant for the US Department of Defense.
"For terrorism, we can never talk about [the successes], because they are classified," she says. "But this is the best potential ROI that we have seen, because [Pipedream] did not actually become operational, and now we can learn from it."
On April 14, managed response firm Mandiant and ICS specialist Dragos released separate reports on the ICS framework, which they dubbed Incontroller and Pipedream, respectively. The cyber-espionage and attack framework is the seventh attacker tool set to specifically target industrial control systems, but the second to be disclosed in April. On April 12, cybersecurity firm ESET announced that the company had worked with a Ukrainian energy provider to mitigate an attack by Industroyer 2 the previous month.
While cybersecurity experts have been reticent to attribute the attacks to Russia, the links between their targeted and the current Russian invasion of Ukraine have suggested that the nation is the most likely sponsor. While the country might be hesitant to attack critical infrastructure, Russia has not had any qualms about supporting ransomware attacks, says Bryson Bort, CEO and founder of Scythe and a panelist.
"I don't think Russia will attack us directly [targeting] industrial control systems, because that is going to invite a military response, which they cannot afford — they have enough on their hands already," he says. "But I'm surprised that they have not amped up ransomware against our private industry."
The panel discussion featured a variety of government and industry experts who also serve as fellows in the Cyber Statecraft Initiative, which is part of the Atlantic Council's Scowcroft Center for Strategy and Security.
For Attackers, ICS is a Shopping Mall
The concern over Pipedream is not because it contains exploits for zero-day vulnerabilities, but because the tool set is tailor-made to operate within common ICS environments. The analyses list three (Mandiant) to five (Dragos) components making up the attack framework, targeting Schneider Electric programmable logic controllers (PLCs), Omron PLCs, and unified communication servers using the Open Platform Communications (OPC) specification.
The attackers are not exploiting vulnerabilities in the products, but problems in the interoperation that leads to security issues, says Scythe's Bort.
"This is a vulnerability in the architectural ecosystem and design of the industrial control systems, period," he says. "Attacks like this show how flat the [network] architecture actually is, and that really is the true vulnerability in the design, and that is a generational problem — it is not the kind of thing that we can say, oh, we are going to patch that and fix it — we have to switch this equipment out over the next 10, 20, and 30 years."
Megan Samford, vice president and chief product security officer at Schneider Electric and a panel member, underscored that the problem was not a software vulnerability. Instead, the tool set focused on specific vendors because those vendors are likely in the targeted networks.
"If you could imagine a shopping mall being built, and you can see that there is a Schneider store and there is an Omron store, but there are probably 20 other stores that could be built out — that is really what this was," she says. "So our products were in the framework, not because of a weakness, but because of out global scale and our products operate and support critical infrastructure locally."
Currently, there are seven known attacker frameworks that have targeted industrial control systems: Stuxnet, Havex, Black Energy 2, Industroyer/CrashOverride, HatMan/Triton/Trisys, Industroyer 2, and Pipedream/Incontroller. While Stuxnet has been attributed to a joint US-Israeli effort, all six of the other frameworks have been linked, to varying degrees, to Russian efforts.
"What we now know for sure is that our adversaries have done their homework," Nozomi Networks' Jablanski says. "There are seven focused, technology-specific incidents that we have seen targeting the hardware and software that we talk about in OT and ICS ... but that does not capture the full range of actors that are looking at industrial operations."
In addition to the United States and Russia, China is know to have tools that target industrial control systems as well, the experts said.