US Warns New Sophisticated Malware Can Target ICS/SCADA Devices

wiredmikey writes: The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers. A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation. Privately owned ICS security firm Dragos issued a separate notice documenting what is now the seventh known industrial control system (ICS)-specific malware. "[This] is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment," the company said.

Bad news (if...)

[aaarrrgggh]

If your control network is compromised then this makes lateral moves significantly easier. One more shout out to "don't connect your control network to your general purpose LAN."

Re:

[bill_mcgonigle]

Anybody remember XML message passing bridges from 2004 for transiting networks of different security levels?

Nah, just hook the control rods up to a Facebook account - it'll be fine.

Re:

[NicknameUnavailable]

SCADA controls basically every utility in the US.

Re:

[gweihir]

Supervisory control and data acquisition (SCADA) a.k.a. ICS (Industrial Control Systems) is obviously what you use unless you use manual control. Hence your statement is pretty much nonsense. Unless you think they should be regulating things manually again?

Re:

[CaptQuark]

Every ICS system should be required to only be accessed via VPN and require two-factor authentication to connect. Those that don't should receive heavy fines, similar to an OSHA violation.

If the company is too lazy or cheap to implement basic security for utilities that affect millions then it should be financially penalized. The crash of the power grid in Texas during the winter of 2021, which was responsible for somewhere near 500 deaths, is an example of a private company prioritizing profits over stan

Re:

[aaarrrgggh]

That is not enough, from personal experience. It is a practical solution for low risk systems (like an office building BMS), but you need much more if there is a target on your back.

Re:

[gweihir]

That is not enough, from personal experience. It is a practical solution for low risk systems (like an office building BMS), but you need much more if there is a target on your back.

Indeed. But that is a separate topic that deals with proper risk analysis and mitigation and there are known ways to do this right. A problem is that the risk management is quite often not even done in the SCADA/ICS field or the software field in general. That amateur-level work has to stop. Fortunately, there are some efforts in Europe that I know of to start holding IT and CS experts personally responsible for the quality of their work. I expect there will be similar efforts in other places. I am all for

Re:

[gweihir]

Sure. Or even better isolation, like access only from computers that are never used for anything else in addition to that VPN and 2FA. Like well protected system administration machines. For example a common mistake is to use the same AD for business and industrial net. But my point was that yes, you will have SCADA/ICS systems in there and no, their existence is not the issue. The issue is how they are secured.

I fully agree on heavy fines or in critical infrastructure heavy personal fines for CISO/CIO/CEO

Re:

[NicknameUnavailable]

Are you actually incapable of understanding context and you just troll my posts after making me your "foe" as a part of your coping strategy for having a micropenis? We basically said the same exact thing across these two posts, only you felt to suggest what I wrote was nonsense and that I was somehow wrong. Stop being so polarized just because you were born with a micropenis bruh, it will be all right.

Re:

[gweihir]

I marked you "foe" because you are an ass. You just nicely confirmed that again. That is the way I use the "foe" marker. I would use an "idiot"/"ass"/"whatever" marker, but /. offers "foe", nothing else. Interactions on /. are not important enough to see anybody as a literal "foe" based on them. And no, I am not trolling you or stalking you. The active /. user population has gotten a lot smaller so it my seem like it. If so, I apologize for that.

So, yes, basically every utility in the world uses SCADA/ICS s

Re:

[NicknameUnavailable]

I marked you "foe" because you are an ass. You just nicely confirmed that again.

lol, you randomly made a comment agreeing with me while thinking (surely some learning disability, no judgement) that you were making some form of counter-point, because you saw a little red dot next to my name you stuck there for ongoing keyboard rage because you couldn't get it out of your system any of the prior dozens of times you've scrolled through looking to best me in a game of wits when I write these long-winded posts detailing your idiocy and don't read more than the first 2 sentences you write af

The question still has to be asked...

[Currawong]

... as to why anyone is still connecting critical control infrastructure to networks that are connected to the internet.

Re:

[gweihir]

People are cheap and stupid and there is no accountability for the decision makers.

SAP Alert Issued

[Miles_O'Toole]

This is an official notification from the Slashdot Acronym Police (SAP). Whenever a Slashdot summary exceeds our limit of six acronyms per short paragraph (including repetition), the SAP leaps into action by issuing a Severely Uncommunicative Communications Keyword Effectiveness Report.

That threshold has been exceeded in this summary, and therefore a SAPSUCKER has been issued.

Govern yourselves accordingly.