IT disaster recovery, cloud computing and information security news

Pipedream: new malware designed to attack industrial control systems identified

Dragos has released details of Pipedream, new malware that it has discovered which has been specifically developed to disrupt industrial processes. Pipedream is the seventh known industrial control system (ICS)-specific malware. It is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.

What is Pipedream?

Pipedream can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics and can manipulate a wide variety of industrial control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA).

While the malware developers are specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and Pipedream’s functionality could work across hundreds of different controllers.

How to protect against Pipedream?

Due to the expansive nature of Pipedream, mitigating the threat will require a robust strategy, and not simply applying cyber security fundamentals, says Dragos. The company recommends the following mitigations:

  • Monitor industrial environments for all threat behaviors in the MITRE ATT&CK for ICS matrix as adversaries are increasing their scope and scale of capabilities.
  • Ensure ICS visibility and threat detection include all ICS North-South and East-West communications — network edge and perimeter monitoring are insufficient for Pipedream.
  • Maintain knowledge and control of all assets within Operational Technology (OT) environments, including details such as ensuring only known-good firmware and controller configuration files are in use.
  • Utilize a fully researched and rehearsed industrial incident response plan that includes attempts by adversaries to deny, disrupt, and destroy processes ensuring an extended time-to-recovery.

“Since early 2022, Dragos has been analysing the Pipedream toolset. We track its developers as the threat group Chernovite, which we assess with high confidence to be a state actor. Pipedream malware has been developed for use in disruptive or destructive operations against ICS. Specifically the initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.

“Pipedream initially targets Schneider Electric and Omron controllers, however there are not vulnerabilities specific to those product lines. Pipedream takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller, and leverage popular ICS network protocols such as ModbusTCP and OPC UA.

“Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks. While the malicious capability is sophisticated, with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS specific incident response plan, and ICS network monitoring provide a robust defense against this threat.”

More details.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.