It’s important for the industry not to underestimate the impact of the PIPEDREAM/INCONTROLLER cyberattack tools that were reported by the Cybersecurity and Infrastructure Security Agency (CISA) earlier this month. Please don’t think of this as the typical financially-motivated ransomware attack. It’s designed to destroy energy infrastructure in the United States.
Motive, means and opportunity
Looking at the broad capabilities of this tool, it’s also clear that a well-funded, highly-skilled nation-state adversary created PIPEDREAM. I believe that this malware was created and has been deployed by a Russian security agency like the GRU. It matches the pattern of their previous cyber tools like INDUSTROYER used to attack the Ukrainian grid. They are one of the few nations with the skills and the motivation to create it.
Back in early March, many OT security professionals, including myself, believed that Russia never intended to directly attack the US. We were wrong. This has been elevated to a military tool, not a criminal one and it’s now in U.S. energy infrastructure. Fortunately, it appears that for some reason, Putin hasn’t pulled the trigger – just yet.
It's inside the box that matters, not what’s on the label
Finally, understand that just because an electrical utility doesn’t use the specific Schneider or OMRON products listed by CISA doesn’t mean this attack toolset won’t be used against them.
Many of the vulnerabilities that PIPEDREAM takes advantage of are hiding in common third-party software embedded in OT devices sold by hundreds of different vendors. One example is CODESYS Runtime, a framework widely used in the energy sector, industrial manufacturing, and IIoT systems.
Industrial customers might think they have Schneider Electric software and thus look for the vulnerabilities assigned to Schneider products in the National Vulnerability Database. They won't find a thing - the vulnerabilities are all listed as CODESYS issues - for example, the vulnerability CVE-2022-22519 doesn't mention a single actual OT product affected - only CODESYS Runtime. Right now, Schneider and OMRON are doing the right thing and letting their customers know that they may be under attack. Unfortunately, many other OT product suppliers using CODESYS and other similar components are being unhelpfully silent.
To defend against PIPEDREAM, utilities must start to know the source of software and firmware used in their OT systems. The NERC CIP-013 Supply Chain regulations are the first step, but the industry need more – and fast. Corporate executives and government agencies must have clear visibility starting from the direct suppliers at the top of the chain to all the third, fourth, and fifth-party suppliers buried deep in our nation's critical software.
The only defense
Companies must have a global view of their software supply chain to defend against supply chain attacks. In other words, they must see – in real-time – not only who they buy software from but also what third and fourth-party developers have software embedded inside the products they use. And they need to locate high-risk software components in minutes.
The Software Bills of Materials (SBOMs) being mandated by the U.S. government were another important step. Now companies need platforms such our Framework for Analysis and Coordinated Trust that convert the mountains of data inside SBOMs into actionable business intelligence. These capabilities will make the difference between an extended critical system outage like we saw at Colonial Pipeline and a rapid and successful defense against attacks by foreign nation-states.
Eric Byres, CTO and Board Member, aDolus Technology Inc.