Malware intended to attack industrial control systems such as power grids, industrial facilities, water utilities and oil refineries is a unique breed of digital evil. When the U.S. government warns of a bit of software designed to attack not just one of those industries, but presumably all of them, critical infrastructure shareholders around the world should take heed.
The U.S. Cybersecurity and Infrastructure Security Agency, the U.S. National Security Agency and the FBI issued a joint notice recently about a new hacker toolset that may be capable of interfering with a wide range of industrial control system hardware.
The malware contains more components designed to disrupt or take control of the functioning of devices than any prior industrial control system hacking toolkit, including programmable logic controllers (PLCs) sold by Schneider Electric and OMRON and created to support as the interface between traditional computers and the actuators and sensors in industrial settings.
"This is the most expansive industrial control system attack tool that anyone has ever documented," says Sergio Caltagirone, vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed information to the advisory and issued its own statement about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft and Schneider Electric also contributed to the advisory. “It’s like a Swiss Army knife with a huge number of pieces to it.”
Free-for-all toolkit proves worrisome
According to Dragos, the malware can derail target devices, disrupt or prevent operators from accessing them, indefinitely brick them, or even use them as a steppingstone to gain access to other parts of an industrial control system network. While the toolkit, dubbed "Pipedream" by Dragos, appears to specifically target Schneider Electric and OMRON PLCs, it does so by leveraging foundational software in those PLCs known as Codesys, which is used far more expansively throughout hundreds of other forms of PLCs.
The Pipedream malware toolkit is a unique extension to the small number of malware specimens discovered in the wild that target industrial control systems (ICS) software. The most well-known example of this type of malware is Stuxnet, a code developed by the U.S. and Israel that was discovered in 2010 after it was used to dismantle nuclear enrichment centrifuges in Iran. In late 2016, Russian hackers known as Sandworm, who are part of the Kremlin's GRU military intelligence agency, used a tool called Industroyer or Crash Override to cause a power outage in the Ukrainian capital of Kyiv.