Dive Brief:

• Hackers have developed new tools allowing them to "gain full system access" to multiple industrial control devices, federal agencies, including the U.S. Department of Energy, announced in an alert issued on Wednesday.
• Experts say the new capabilities were likely developed by a nation-state actor, with some pointing the finger at Russia. They warn the weaknesses could allow supervisory control and data acquisition devices at energy facilities to be compromised. 
• Dubbed "Pipedream," security firm Dragos says it is just the seventh piece of malware known to focus on industrial control systems (ICS) but that it has not yet been deployed for use by hackers. "No electric utilities, LNG facilities, etc have been infected with anything," company CEO and co-founder Robert Lee said Thursday on Twitter.

Dive Insight:

The new malware was reportedly designed to target energy facilities, and possibly liquefied natural gas plants in particular. Taking over SCADA systems could allow adversaries to inflict significant damage, say experts.

"The malware was designed to be used in disruptive operations. This isn’t some normal malware and campaign. This is something that could be used to cause real issues or hurt people," Lee said on Twitter.

But the malware was caught before it was deployed, and the government is keeping its sources secret. "Folks are coming up with theories on where/how the malware was found. It’s not some spooky story, it’s just not something any of us want to talk about because it’s ongoing," Lee wrote.

The secrecy is leading to some confusion, he added. "Commentary about electric utilities being infected or compromised or similar is inaccurate," he said.

The Edison Electric Institute, which represents investor-owned utilities, said the discovery of the malware reflected collaboration between industry and government.

"The quick identification of these new cyber threats and the immediate mitigation and socialization efforts that resulted all are examples of this effective industry-government partnership in action," EEI Senior Vice President for Security and Preparedness Scott Aaronson said in a statement.

EEI also credited the National Security Council's 100-day sprint in 2021 to secure industrial control systems, which has helped ensure there are "incredibly sophisticated threat monitoring tools in place."

"The work we have done to create an environment where information sharing among industry and government stakeholders is happening in near real-time means that actionable intelligence is quickly making its way into the hands of system operators," Aaronson said.

Security consultant Tom Alrich said he anticipates there will be little impact on electric utilities, which have strong protections around critical assets, "and certainly no increased likelihood of an outage due to a cyberattack."

According to the government warning, released by the Cybersecurity and Infrastructure Security Agency, hackers developed "custom-made tools" for targeting ICS and SCADA devices which enable them to "scan for, compromise, and control affected devices" once they have accessed the target's operational technology network.

"Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments," according to the alert. By compromising and maintaining full system access to ICS/SCADA devices, hackers "could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions."

CISA recommended all organizations utilizing ICS and SCADA devices take certain steps, including isolating those systems and networks from corporate and internet networks, using strong perimeter controls, and limiting communications entering or leaving ICS/SCADA perimeters. 

The alert is concerning for multiple reasons, said Marty Edwards, vice president of OT Security at cybersecurity firm Tenable.

"If attackers are successful, the consequences of such intrusions are vast and can be potentially devastating," said Edwards, who was previously director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.

"It is imperative that asset owners and operators are continuously monitoring for any malicious communications to these devices as well as monitoring for any changes to the configuration or logic inside the devices in real-time," Edwards said.

The CISA alert noted a few devices that could be vulnerable to the new malware, including some made by Schneider Electric and OMRON. But the issue may be much more widespread, some experts say.

"This CISA alert is also hinting that this is just the tip of the iceberg," said Eric Byres, CISA ICS advisor and chief technology officer of ICS software at cybersecurity firm aDolus Technology.

"There are thousands of industrial facilities across the nation who believe they have dodged the bullet because they don't use Schneider or OMRON products. They haven't dodged anything — they are just sitting ducks to these nation-state attackers," Byres said. "This is a classic case of why we need better supply chain transparency and analytics if we want to secure our critical infrastructure from nation-states."