PIPEDREAM Malware: Understanding and Mitigating the Threat

The last year has brought unprecedented attention to the cybersecurity risks facing operational technology and industrial control systems. CISA’s new alert on APT Cyber Tools Targeting ICS/SCADA Devices adds even more urgency to the conversation, bringing to light a suite of tools called PIPEDREAM that could be used to execute attacks on oil and gas facilities, the electrical grid, and other critical infrastructure assets.

PIPEDREAM provides a set of tools designed to compromise commonly-used industrial control devices and facilitate a wide range of actions, including the manipulation of physical processes within industrial facilities. Devices vulnerable to PIPEDREAM attacks include Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. Other manufacturers and device categories are likely to be vulnerable as well.

The full scope of the threat is not yet known. However, PIPEDREAM represents a significant escalation in efforts to compromise and attack critical infrastructure. A few key takeaways from the CISA alert are immediately clear.

OT-specific malware is a growing threat

To date, most attacks against critical infrastructure operations (the Colonial Pipeline attack, for example) have been aimed at IT networks, using the same tools and tactics that might be used against endpoints and servers in any other IT environment. But that may soon change.

PIPEDREAM is among a small but growing number of tools created specifically with OT networks and assets in mind. With capabilities designed to exploit the unique vulnerabilities and functionality of PLCs and other operational technology devices, PIPEDREAM demonstrates a growing interest among threat actors in disrupting physical processes and doing real-world damage.

Attacking OT and ICS will get easier

The lower levels of OT networks have traditionally been out of reach for the average threat actor, because accessing and manipulating them required specialized skills. And while PIPEDREAM was likely developed by a state-sponsored Russian APT group, you don’t need to be a highly sophisticated hacker to use it. 

PIPEDREAM was designed to be user friendly, with a modular architecture and automated functionality that enables, in the words of the CISA alert, “operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.” That means organized crime syndicates, terrorist groups, and other threat actors now have access to tools that once belonged to only the most sophisticated groups.

This also has the effect of expanding the potential ICS cyber attack surface. While state-sponsored attackers might be expected to focus on large targets with geopolitical significance, smaller threat actors might choose smaller targets to suit their own agendas, or use automated tactics to find and attack networks without even knowing in advance that the targets existed.

Dealing with the threat

The guidance for mitigating PIPEDREAM threats is consistent with the recommendations CISA has been making with increasing frequency in recent years. 

In addition to patching systems and maintaining backup and incident recovery plans, CISA recommends several strategies for preventing and detecting PIPEDREAM-based attacks, including:

• Increasing segmentation within OT networks
• Limiting ICS device connectivity to “known good” management and engineering workstations
• Limiting remote access to OT networks, and maintaining strict control over access that does occur
• Implementing a continuous OT monitoring solution to detect and alert on unauthorized or unexpected network activity.

Mission Secure’s OT cybersecurity platform provides each of these capabilities, through integrated hardware, software, and managed services designed specifically for OT and ICS environments.

Just as PIPEDREAM was developed to exploit the unique vulnerabilities that exist within OT networks, the Mission Secure platform provides unique capabilities developed to address those vulnerabilities.

Mission Secure’s patented Signal Integrity Sensor, for example, can detect unauthorized attempts to manipulate physical devices, even if the industrial controllers attached to those devices have been compromised. Other elements within the Mission Secure platform provide network segmentation, traffic whitelisting, and alerts on unexpected activity, while managed monitoring services ensure 24/7 attention on the health and security of the OT environment.

To learn more about how Mission Secure helps defend critical systems, contact us to schedule a consultation with our team of industrial cybersecurity experts.