Skip to main content

Critical Infrastructure Malware Increases Cyber Risks

Pipedream malware targets Industrial Control Systems (ICS) used in Critical Infrastructure like oil refineries, power grids, water processing plants and factories

Advisory Cyber Malware

Known as “Pipedream”, is perhaps the most versatile malware made to target infrastructure such as power grids and oil refineries.

Malware designed to target Industrial Control Systems (ICS) like oil refineries, power grids, water processing plants and factories has been discovered by Dragos, a cyber security firm – triggering warnings from the US Government for critical infrastructure owners worldwide to take note.

It comes at a time where critical infrastructure is already experiencing increased malicious cyber activity as a result of the Russia-Ukraine conflict prompting a joint cyber security advisory from the cyber security authorities of Australia, New Zealand, United States, Canada and United Kingdom.

What is a Pipedream?

Pipedream joins other ICS Specific malwares such as Stuxnet, Havex, BlackEnergy 2, CrashOverride/Industroyer, Trisis/Triton and Industroyer 2.

Pipedream has the ability to manipulate Programmable Logic Controllers (PLC) along with industrial software like Schneider Electric and Omron. Pipedream can additionally attack industrial technologies like Modbus and CODESYS and Open Platform Communications Unified Architecture. One of the reasons why Pipedream is difficult to detect, is that it takes advantage of native functionality and with the ability to spread from one controller to another, Pipedream can cause significant damage if the attacker chooses to do so.

Currently it is believed that Pipedream is targeted to the Energy and Gas sector, however it’s not to say that it can’t be adapted to target additional industries. According to Dragos, “Tools in Pipedream can scan for new devices, brute force passwords, sever connections, and then crash the target device. To accomplish these goals, Pipedream uses several different protocols, including Omron’s proprietary FINS, Modbus, and Schneider Electric’s implementation of CODESYS. Given the variety of protocols that Pipedream abuses, CHERNOVITE possesses a breadth of ICS knowledge beyond any of Dragos’s previously discovered activity groups.”

How can companies respond?

Companies need to understand their levels of vulnerabilities that exist in their Operational Technology (OT) environment and how to better secure critical infrastructure. As targeted OT environment attacks increase, with potential to cause real world damage, a robust cyber security programme is required.

For the Risk Manager

  • Cyber risks should be appropriately catalogued across the whole of OT and rated as per the enterprise risk management (ERM) ratings. 

For the CISO

  • Ensure detective capabilities are revisited and updated to currency
  • Have a current and tested incident response plan in place
  • Maintain ICS visibility
  • Implement or revisit you privilege access solution
  • Ensure there is no default credentials in place

How can Marsh help

  1. ICS Posture health check based on NIST, NERC, CIP Standard and COBIT
  2. Key risks mapped against the ERM framework
  3. Strategy and roadmap
  4. Execution of the strategy and roadmap

Marsh’s Cyber team is available to you at any time to provide best-in-class answers, service, and solutions for cyber risk management planning and optimisation, cyber incident response and management and cyber coverage review or placement. For more information, contact your Marsh representative or a member of the Marsh cyber consulting team.

 

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. LCPA: 22/182