Advanced Persistent Threat (APT) Actors Are Using Tools To Take Control of Certain ICS/SCADA Devices

  • Issue Date:

    April 14, 2022

  • Importance

    High

  • Summary

    The Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory (CSA) describing how advanced persistent threat (APT) actors are using tools to identify and take control of certain ICS/SCADA devices.

  • Systems Impacted

    Certain Schneider Electric MODICON PLC models, certain OMRON PLC models and Open Platform Communications Unified Architecture (OPC UA) servers.

Advisory Details

OPC UA servers are focus of this Mangan Cybersecurity advisory.

OPC UA servers are a platform to provide one or more protocol communications drivers between the field devices and an automation software application. For example, an Ignition server connects to and sessions with a Kepware server to acquire data and control a flow computer through a Modbus TCP/IP interface. This CISA CSA raises awareness of the OPC UA server feature to allow users to inspect the I/O values and in most cases to modify and overwrite the device values. The advisory emphasizes that the tools, called Pipedream, implemented by the APT actors can locate the OPC UA server and then hijack the data view present at the end use application. The APT actor accessibility to the OPC UA server is by way of previously compromised or persistent use of default credentials. Further, the tools enable lower-skilled actors to attack the network architecture.

Actions and/or Recommendations

The Mangan Cybersecurity ICSSbDTM Toolkit will adjust the exposed threats to raise the risk ranking due to this lowered capability requirements.

Further quality control directives require that project dependencies on any vendor OPC UA server must include deliverables to:

  • Enforce multifactor authentications for all remote access to the Operation Technology network.
  • Assure all device default passwords and reconfigured before handover and provide the relevant client stakeholders with schedule base password change process.

Potential for OT monitoring to inspect for and alert to potential and actual malicious behaviors.

About REAL Matters and Mangan Inc.

REAL Matters advisories are published to communicate cybersecurity threats and risks within the Operational Technology (OT) environment and where Critical Infrastructure vulnerabilities are identified. The purpose of this newsletter is to inform, propose suggested approaches to mitigate the risk as well as provide feedback on how Mangan Cybersecurity is approaching the issue(s) addressed.

Mangan Inc. is a nationally-recognized Specialty Engineering, Automation, and Integration company, providing a full-range of services to the Oil & Gas, Refining, Pipeline, Chemicals, and Life Sciences Industries. Established in Long Beach, California in 1990, Mangan’s multiple office locations include sites in California, Georgia, New Hampshire, North Carolina, Texas, and Louisiana. Mangan’s 350+ employee-owners bring expertise, innovation, and safety as their core mission to some of the largest companies in the world.

Scroll to Top