How Network Segmentation Can Mitigate Pipedream Attacks on Critical Infrastructure

PublishTime： 2022-05-17 Article Source：Keysight

If your air-gapped OT network dodged the SolarWinds hack, skated past the Log4J vulnerability, and avoided Okta, that’s excellent, but you should still check out PipeDream.

PipeDream, more nightmare than vain hope, is said to be capable of executing 38% of known Mitre Attack ICS techniques, and 83% of known ICS attack tactics.

Recently identified by Dragos, and Mandiant/Schneider Electric, PipeDream is not just malware, but a customizable malware toolkit that in its current version, can operate Schneider Electric and Omron PLCs as well as a large variety of industrial PLCs and industrial software. PipeDream can attack common technologies like CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA).

Affected products include the following.

◆ Schneider Electric Modicon and Modicon Nano PLCs

◆ Omron Sysmac NJ and NX PLCs

◆ OPC UA servers

What is PipeDream?

CISA warns that PipeDream's customizable tools allow hackers to scan for, compromise, and control affected ICS/SCADA devices on an OT network. Once inside your OT network, the tools enable: lateral movement between OT and IT networks, reconnaissance of device details, upload of malicious code, backup and restore device contents, and the ability to modify device parameters.

PipeDream has modules for Schneider Electric capable of:

◆ 27127 discovery scan to identify Schneider PLCs on the network

◆ Brute force attack on PLC passwords

◆ DDoS attack to prevent network communications with the affected PLC device

◆ Forced re-authentication to steal credentials

◆ A packet of Death attack to crash the PLC

◆ Transmission of custom Modbus commands to the PLC

PipeDream also has modules for Omron devices that give attackers the ability to:

◆ Scan for Omron FINS protocol

◆ Analyze HTTP responses sent from Omron devices

◆ Retrieve MAC address of Omron devices

◆ Poll Omron devices connected to the PLC

◆ Backup and Restore files to/from the PLC

◆ Upload an agent onto the PLC to allow file manipulation, packet capture, and remote execution of code

Not to be left out, PipeDream also has modules for OPC UA that can:

◆ Identify OPC UA servers

◆ Connect to OPC UA servers

◆ Read the OPC UA structure

◆ Write tag values

CISA Joint Cybersecurity Advisory AA22-103A includes a call out action box on page one titled Actions to Take Today, which includes:

(1) multifactor authentication,

(2) regularly scheduled ICS password changes

(3) implementing a continuous network monitoring and alert system.

Note that this section is not called Things You Can Complete in a Single Day.

Advisory AA22-103A also includes a section on page 3 called Mitigation that includes more than a dozen suggestions, the first of which describes isolating ICS/SCADA systems from corporate and internet networks using strong perimeter controls and limiting communications entering or leaving ICS/SCADA perimeters. Physical isolation is part of a larger strategy called Network Segmentation, and Network Segmentation is just one component of the robust strategy needed to defend OT and Critical Infrastructure. It's a hot topic, but more importantly, according to Patrick Miller, CEO of Ampere Industrial Security, "it's in Executive Orders, it's in Standards, it's in Regulations, and the National Security Memo…".

With all the attention our Critical Infrastructure has received since the Colonial Pipeline attack on May 7, 2021, Network Segmentation is an Action you Should Take Today.

+1 Like
Add to Favorites

Recommend

Selection Guide

More>

Technical Resources

More>

New Products & Solutions

More>

This document is provided by Sekorm Platform for VIP exclusive service. The copyright is owned by Sekorm. Without authorization, any medias, websites or individual are not allowed to reprint. When authorizing the reprint, the link of www.sekorm.com must be indicated.

Integrated Circuits