CISA, FBI Warn of APT Cyber Tools Affecting ICS/SCADA Devices

April 15, 2022 - Advanced persistent threat (APT) actors have developed tools made specifically for targeting industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, the Cybersecurity and Infrastructure Security Agency warned.

Along with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Department of Energy (DOE), CISA issued an advisory to alert critical infrastructure entities about the APT cyber tools.

Threat actors demonstrated the ability to gain full access to multiple ICS/SCADA devices, including OMRON Sysmac NEX PLCs, Schneider Electric programable logic controllers (PLCs), and Open Platform Communications Unified Architecture (OPC UA) servers.

“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network,” the advisory stated.

“Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities.”

If successfully exploited, threat actors can elevate privileges, disrupt critical functions and move laterally within an OT environment.

The energy sector is most vulnerable to these exploits, but the advisory urged all critical infrastructure organizations to implement detection and mitigation measures.

In a recent report, Claroty observed an uptick in healthcare IoT, IT, and medical device vulnerability disclosures, signaling a need for better ICS security. ICS vulnerability disclosures grew by 110 percent over the last four years, with a 25 percent increase in the latter half of 2021 alone.

In addition, CISA recently released an advisory regarding the LifePoint Informatics patient portal and specifically stressed the importance of ICS security. The agency directed organizations toward its ICS security best practices and resources and encouraged all critical infrastructure entities to adopt defense in depth strategies to improve ICS security.

The newly disclosed APT cyber tools further emphasized a need for enhanced ICS security controls across critical infrastructure. CISA recommended that organizations take the following actions to protect ICS/SCADA devices:

• Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
• Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
• Leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors.

CISA also recommended that organizations implement a thorough cyber incident response plan, enforce the principle of least privilege, and maintain offline backups.