Sophisticated hackers have demonstrated that they have cyber tools that can take control of an array of devices that help run power stations and manufacturing plants, the U.S. government said in an April 13 alert, warning of the potential for them to harm critical infrastructure.
The malicious software, known as Pipedream, could end up being a nightmare for industry and governments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a joint advisory saying the hackers have the ability to affect a type of device called programmable logic controllers common across a variety of industries – from gas to food production plants – but Robert Lee, chief executive of cybersecurity firm Dragos, which helped uncover the malware, told Reuters researchers believed the hackers’ intended targets are liquefied natural gas and electric facilities.
Programmable logic controllers, or PLCs, are embedded in a huge number of plants and factories and any interference with their operation has the potential to cause harm, from shutdowns to blackouts to chemical leaks, wrecked equipment or even explosions.
In its alert, the CISA urged critical infrastructure organizations, “especially energy sector organizations,” to implement a series of recommendations aimed at blocking and detecting Pipedream.
The “threat actors”, who were not identified, “exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices,” says the warning, including:
- Schneider Electric programmable logic controllers (PLCs),
- OMRON Sysmac NEX PLCs, and
- Open Platform Communications Unified Architecture servers.
The warning said the hackers have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network, according to the CISA alert. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, hackers could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
The U.S. Department of Energy, along with CISA, NSA, and the FBI urge critical infrastructure organizations to implement detection and mitigation recommendations provided in its advisory to detect potential malicious activity and protect their ICS/SCADA devices.
Sergio Caltagirone, Dragos’ vice president of threat intelligence, told Reuters that Pipedream could be understood as a “toolbox” of different hacking tools. Each component offers a different way to subvert normal controls, giving the hackers a variety of options to launch attacks.
For example, Caltagirone said that one of the tools within Pipedream would have allowed the attackers to damage Schneider Electric’s PLC in such a way that it would need to be entirely replaced.
“Because of existing supply chain challenges it could take longer to get replacement controllers after such an attack,” Caltagirone said. “What this means is a liquefied natural gas facility might be out of commission for months.”
The warning came the same week that Trellix, another U.S. cybersecurity company, released a global Cyber Readiness Report that says that critical infrastructure providers around the world lack advanced cyber protection.
The study, based on research conducted globally by Vanson Bourne, surveyed 900 cybersecurity professionals from organizations with 500 or more employees, in the U.S., Germany, the United Kingdom, France and Asia Pacific.
Survey respondents identified a variety of barriers to implementation of advanced technologies, including a cybersecurity talent shortage: 48% of Germans, 41% of British and 35% of French respondents acknowledged a lack of in-house cyber skills as a key challenge to their implementation efforts. Around a third of each group also identified a lack of implementation expertise as a key barrier. These findings mirrored cybersecurity skills shortages in the U.S. and Asia Pacific. The lack of in-house cyber skills were blamed by over half of U.S. non-federal agencies running systems supporting local infrastructure and emergency services (51%) and respondents from the oil and gas sector (55%) for why their cyber defenses were not fully deployed.
The survey found that despite high-profile breaches, many critical infrastructure providers, particularly those in U.S. oil and gas, healthcare and state and local governments in charge of emergency services, have not yet fully implemented cybersecurity best practices. For example, three-quarters (75%) of respondents from the oil and gas sector admitted they had not yet deployed multifactor authentication.
In addition, many critical infrastructure providers reported that they had not fully implemented sufficient supply chain risk management policies and processes, which is a particular concern following the SolarWinds and Microsoft Hafnium breaches in 2020 and 2021. Nearly three-quarters (74%) of healthcare providers admitted they have not taken sufficient protective measures.
CISA, which is part of the U.S. Department of Homeland Security, has designated 16 sectors, ranging from banks and financial institutions to hospitals and election systems, as critical. The agency works with private sector partners in each of these sectors to share intelligence and help them boost security measures.
However, critical infrastructure providers surveyed by Trellis called for the U.S. government to share more threat intelligence, with nearly all (95%) of survey respondents in the oil and gas industry saying there was room for improvement in the cyber threat data shared by their federal partners.
“How do we continue to mature the way the government engages with critical infrastructure — particularly those entities that are the most critical of the critical?” Rep. Yvette D. Clarke, chairwoman of the U.S. Congressional subcommittee on Cybersecurity, Infrastructure Protection and Innovation of the House Homeland Security Committee asked at a recent hearing. “From where I’m sitting, one thing is clear, the U.S. desperately needs to revamp the playbook it uses for critical infrastructure cybersecurity.”
The Trellix survey shows 87% of respondents from Germany, France and the U.K believe formalized, government-led initiatives can play an important role in improving their nations’ protection against cyber threats. Respondents from these countries said they see opportunities for improvement in their partnerships with government in areas such as cyber defense coordination, threat information sharing and software supply chain integrity.
IN OTHER NEWS THIS WEEK:
FINANCIAL SERVICES
Mastercard Files Trademarks In The Metaverse
Mastercard has filed 15 NFT and metaverse trademark applications as part of a wide-ranging plan to extend its payment processing system, slogans and branding into the new virtual economy. Rival card scheme American Express has also registerd its name, logo, and slogans for a range of banking services in the virtual world. Other blue chip brands setting up shop in the metaverse include JPMorgan, HSBC, CaxiaBank’s imagin, Siam Commercial bank and Walmart.
MOBILITY
Bosch Buys Five AI To Accelerate Autonomous Driving Push
German multinational engineering company Bosch has acquired U.K.-based self-driving software company Five AI for an undisclosed amount. Five AI builds self-driving software components and development platforms to combat the biggest problems in the self-driving car space. The acquisition marks Bosch’s latest foray into the autonomous vehicle market. The company, best-known for dishwashers, ovens and other home appliances, has an automated mobility division developing driver assistance systems. The company has already created the first production-ready driving function for automated valet parking.
Web3
Sony, Lego To Put $2 Billion Into Epic Games Metaverse Effort
Japanese giant Sony and Lego’s Danish parent firm announced Monday a $2 billion investment in US gaming powerhouse Epic Games for its work toward joining the metaverse vision for the internet’s future. Scores of tech firms have been rushing to invest in building the metaverse, a loose term covering the growing eco-system of interactive online worlds, games and 3D meeting places that are already attracting millions of users. The $2 billion\ in funding is aimed at advancing Epic’s “vision to build the metaverse and support its continued growth,” the three firms said in a joint statement.
Crypto Giant Binance Sets Its Sights On France
Binance, the world’s biggest cryptocurrency exchange, has set its sights on France and announced it will help develop Web3 and blockchain projects in Paris. Binance boss Changpeng Zhao, nicknamed “CZ”, said at the Paris Blockchain Week Summit event on April 13 that France can become the Web3 and cryptocurrency leader of the future.“I think France has one of the most progressive and open-minded governments that could help in developing pro-crypto regulations,” Zhao said, adding that the country is uniquely positioned in terms of regulation and talent.
INNOVATION
The First Lens Is Fabricated In Space
The first lens was fabricated in space this, using innovative technology developed at the Technion – Israel Institute of Technology. The fluidic shaping method, developed by the lab of Prof. Moran Bercovici, in collaboration with NASA, could revolutionize space optics by fabricating giant lenses for space telescopes, which are currently limited by the size of the launcher. The experiment was one of 34 being conducted by astronaut Eytan Stibbe as part of Israeli’s Rakia Mission. Stibbe, a former fighter pilot and businessman, is conducting the innovative research on behalf of a variety of organizations, including Israeli startups. The aim is to make technological, scientific, and medical breakthroughs and help startups and academics demonstrate how products developed on Earthoperate in microgravity by doing proof-of-concept tests in space.
To read more of The Innovator’s News In Context articles click here.
