The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices. This includes:
- Schneider Electric programmable logic controllers (PLCs),
- OMRON Sysmac NEX PLCs, and
- Open Platform Communications Unified Architecture (OPC UA) servers.
The APT threat actors have developed custom-made tools for targeting ICS/SCADA devices. The custom tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. The threat actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities.
By compromising and maintaining full system access to ICS/SCADA devices, APT threat actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
The DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices.
Mitigations Suggested by the DOE, CISA, NSA, and the FBI
DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:
- Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
- Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
- Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
- Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
- Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
- Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
- Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong antivirus file reputation settings are configured.
- Implement robust log collection and retention from ICS/SCADA systems and management subnets.
- Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement.
- For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
- Ensure all applications are only installed when necessary for operation.
- Enforce the principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
- Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
- Monitor systems for loading of unusual drivers, especially for ASRock drivers, if no ASRock driver is normally used on the system.
The Domain Name System (DNS) is Almost Always Involved in ICS/SCADA Attacks
It is a fact that DNS is involved in most cyberattacks. According to International Data Corporation report in 2020 79% of organizations have experienced a cyberattack which involved DNS. Why? Because DNS is at the very heart of the internet. DNS is the first component of the IP network to be used when a piece of equipment is connected. Whether it is a phone, a computer, an IP camera, or any other type of terminal, literally the first thing a device does to gain connection to the Internet is to send a DNS request. For these reasons, DNS traffic is often used as a way to access the network in a cyberattack. This technique, amongst many others leveraging DNS, is called DNS tunneling (MITRE ATT&CK Technique T1572).
DNS based attacks go far beyond DNS tunneling. Today we see the use of fake domain names which are automatically generated in order to support new attacks. These newly observed domains (NODS) are very difficult to detect.
DNS security is designed to prevent users’ connection to malicious destinations. DNS security will also detect anomalous behaviors in the network such as C&C communications, phishing, advanced persistent threat activity, domain generation algorithm (DGA) activity, botnet communications, and data exfiltration along with DNS tunneling.
DNS security solutions such as BloxOne® Threat Defense combine advanced analytics based on machine learning, highly accurate and aggregated threat intelligence and automation to detect and prevent a broad range of threats, including DGA families, data exfiltration, look-alike domain use and many others.
Most importantly, BloxOne Threat Defense provides important support for Security Orchestration Automation and Remediation (SOAR) Integration. SOAR is critical for providing enterprise security systems, ITSM solutions, vulnerability scanners and other security ecosystem tools the data which can in turn trigger remediation actions automatically when any malicious or highly anomalous activity is detected.
DNS logs are a very useful source of contextual data which can aid in the investigation of any security event. DNS logs provide a highly effective way to see what resources a client has been accessing over time. The DHCP “fingerprint” and IPAM metadata provide contextual information on compromised devices such as type of device, OS information, network location and current and historical IP address allocations. All this information helps with event correlation and understanding the scope of a breach.
BloxOne Threat Defense is a cloud managed, hybrid DNS security solution that protects users and devices on-premises within the enterprise network, while roaming or remote, and in the cloud. B1TD blocks DNS based malware, including ransomware, communications with command-and-control servers, data exfiltration, and more. BloxOne Threat Defense provides AI/ML based analytics, threat intelligence and automation to detect and stop a wide variety of threats. These threats can include domain generation algorithm (DGA), data exfiltration, look-alike domains, and many other types of attacks which leverage DNS.
To find out more about BloxOne Threat Defense: https://www.infoblox.com/products/bloxone-threat-defense/
You can find the full cybersecurity joint advisory alert here: https://www.cisa.gov/uscert/ncas/alerts/aa22-103a