- Are you a victim of a security incident? Contact our CERT
- +33 (0) 1 83 75 36 94
- alerte@cwatch.almond.consulting
Cyberattacks targeting OT systems
Although attacks targeting industrial companies have steadily increased in the last few years[1], this growth became exponential in recent weeks. In a global context of rising threats, industrial companies appear to be prime targets and face the proliferation of tools designed specifically to target their OT (Operational Technology) systems.
Among the recorded attacks, a ransomware paralyzed an anonymous natural gas compression installation in February of 2020. According to CISA, which helped this company handle the incident, the attacker gained access to the network through a Spearphishing campaign on the organization’s information system. Then, an unidentified ransomware was deployed on both networks, i.e. IT (Information Technology) and OT. No longer having the capability “to read and aggregate operational data in real time”, and the needs for availability and traceability being significant, it was decided to halt operations for about 2 days A loss of productivity and a financial impact were deplored.
More recently, in relation with the War in Ukraine, new attack tools targeting OT systems, and particularly industrial control systems (ICS), have emerged. Such Advanced Persistent Threats (APT) include INCONTROLLER (aka PIPEDREAM), which targets ICS and supervisory control and data acquisition (SCADA) devices on OT systems, including PLCs from Schneider Electric and Omron.
This set of tools appears to have capabilities for disruption, sabotage, and even physical destruction. The attack capability of this bespoke tool package is similar to that of the TRITON, STUXNET and INDUSTROYER malwares, the latter being the cause of the Ukraine power outage in 2016. A new version of INDUSTROYER, dubbed INDUSTROYER 2, is currently emerging.
INCONTROLLER is made up of three main tools: TAGRUN, CODECALL and OMSHELL.
| Tool | Description | Capabilities |
|---|---|---|
| TAGRUN | Scans for OPC servers, enumerates OPC structure/tags, brute forces credentials, and reads/writes OPC tag values. |
|
| CODECALL |
Framework that communicates using Modbus — one of the most common industrial protocols — and Codesys. CODECALL contains modules to interact with, scan, and attack at least three Schneider Electric programmable logic controllers (PLCs). |
|
| OMSHELL | Framework with capabilities to interact with and scan some types of Omron PLCs via HTTP, Telnet, and Omron FINS protocol. The tool can also interact with Omron’s servo drives, which use feedback control to deliver energy to motors for precision motion control. |
|
These bespoke tools allow the attacker to send personalized commands via industrial network protocols (OPC UA, Modbus, Codesys) in order to interrupt connections and force a new authentication of the user, perform denial of service, etc. Combined with two additional tools, currently under analysis, INCONTROLLER can be used to carry out an attack on Windows systems in IT and/or OT environments (exploitation of CVE-2020-15368 and deployment of a backdoor).
The potential impacts of these attacks in the real world, their tangible nature and quick correlation to human and financial losses make those tools interesting for different actors (states, criminals, hacktivists). This increased interest is reflected in the advanced skills of attackers, visible through the exploitation of purely industrial protocols mixed with attacks on IT systems, and explains the significant rise of serious attacks deplored on industrial systems.
The American and French authorities have each published an alert bulletin for critical infrastructures to encourage them to strengthen their security. They suggest some mitigation measures.
- Establish and maintain a detailed mapping of the OT network. Identify critical assets supporting business functions in order to react more quickly and efficiently in the event of an attack.
- Isolate SCADA systems and networks from corporate IT networks and the Internet. Limit any incoming or outgoing communication on ICS/SCADA perimeters.
- Limit SCADA system network connections to authorized management workstations only.
- Check the correct configuration of the firewall to restrict flows to those that are strictly essential.
- Reduce the exposure surface of industrial sites through IP filtering or deployment of a VPN.
- Check that anti-malware and intrusion prevention software are active on the workstations.
- Regularly change the passwords of equipment accessing the SCADA system. Use complex passwords.
- Implement the principle of least privilege.
- Keep the business continuity plans up to date.
- Formalize and test the incident response plan several times a year.
- Disable unused services and protocols.
- Implement collection and retention of logs from SCADA systems, routing, and filtering equipment.
- Ensure VPNs and other remote access systems are up to date.
- Protect Windows management systems by configuring Windows Defender Application Control (WDAC), Credential Guard, and Hypervisor Code Integrity (HVCI).
- Install detection and response (EDR) solutions on compatible equipment.
- Raise your teams’ cybersecurity awareness.
- Investigate denial of service behavior or connection cutoff, which result in delays in the processing of communications.
- If your company is the victim of an attack, contact the competent authorities for assistance (e.g. ANSSI in France, CISA in the United States).
- Define and apply a process for supervising third parties, on site or remotely, to secure supervision, administration, or maintenance activities.
Alban RECLY
GRC Consultant
François EHLY
GRC Manager
Chloé GREDOIRE
GRC Consultant
Witchel MERVEILLE
GRC Consultant
SOC CERT CWATCH Team
Find our latest expert opinions
written by our consultants
