Four federal agencies have warned that hacking groups have developed tools to attack technology used in factories, utilities, and other industrial settings, potentially allowing hackers to shut down parts of the U.S. energy grid and water services.
The
April 13 alert
from the FBI, the Department of Energy, and other agencies warns of advanced persistent threats, typically large cybercriminal groups and government-supported hackers, targeting three broad groups of industrial control system and supervisory control and data acquisition devices.
The targeted technologies are used in a wide range of settings, including the U.S. energy sector, the oil and gas industry, water and wastewater services, and manufacturing, transportation, and government agencies, such as the Department of Defense, noted Bill Moore, CEO and founder of
Xona
, an industrial controls security vendor.
“Chances are your life has been touched somehow by these systems unless you … live way off the grid,” added Andy Rogers, senior assessor at
Schellman
, a global cybersecurity assessor. “These systems control everything imaginable and to some degree make our lives a little more comfortable or safer on a daily basis.”
Moore called these threats “extremely concerning,” particularly during the current geopolitical tensions sparked by Russia’s invasion of Ukraine.
The described hacking tools “demonstrate a significant advancement in capabilities and methods for orchestrating an attack on critical infrastructure industrial control systems,” he told the Washington Examiner. “While there is no evidence yet that these … tools have been used to disrupt or destroy industrial controls to date, the unstable geopolitical environment dramatically increases the risk of the malicious use of these tools.”
The targeted devices include programmable logic controllers, industrial computers used to run assembly lines, industrial robots, and other industrial processes from Schneider Electric and OMRON. In addition, these hacking groups are focusing on Open Platform Communications Unified Architecture servers used in industrial settings.
The “custom-made” hacking tools targeting these devices would allow attackers to access computers in the industrial network and “disrupt critical devices or functions,” the agencies said. For example, tools targeting Schneider Electric programmable logic controllers would allow hackers to conduct denial-of-service attacks to cut off control of the devices and to send a “packet of death” to crash the programmable logic controller.
The government alert about these hacking tools has “nation-state implications,” Moore said. The methods suggest an effort targeting “many vendors and many critical infrastructure segments,” he added.
The warning suggests that these attacks could be dangerous to industrial control system networks, but they “could also put the safety of people working in these environments at risk,” Moore added.
While some cybersecurity experts said the new hacking tools raised serious concerns, hacking groups targeting supervisory control and data acquisition systems are nothing new. For example, Stuxnet, a malware discovered in 2010, targeted those systems in Iran.
There’s never been a “major assault of multiple SCADA systems with multiple outages,” said Schellman’s Rogers, although such an attack could cause significant damage.
The government alert called on supervisory control and data acquisition operators to use multifactor authentication for remote access to industrial control system networks and devices. They should also change passwords consistently and use cybersecurity monitoring systems.
The government agencies recommended that supervisory control and data acquisition operators also isolate industrial control systems and networks from corporate and internet networks using strong perimeter controls.
Still, isolating and patching these systems can be difficult, Rogers said.
“We can patch them, but these systems are in many cases designed to run nonstop with no means to fail-over or only to fail-over in the event of a catastrophe,” he told the Washington Examiner. “Patching them is also a problem because if the patch were to, say, make the system inoperable, your backup has now become your primary with no backup.”
In addition, many users have connected industrial control systems to the internet for the sake of convenience, he added.
An internet connection allows maintenance employees to check on the systems without having to drive to the office, he noted. “Unfortunately, just as well as that one maintenance guy can remote in, so can the bad guys,” he said.
