#### Whitepaper ## PIPEDREAM: CHERNOVITE’S EMERGING MALWARE TARGETING INDUSTRIAL CONTROL SYSTEMS ###### Dragos, Inc. **[info@dragos.com](mailto:info%40dragos.com?subject=)** **[@DragosInc](https://twitter.com/DragosInc?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)** #### Whitepaper ## PIPEDREAM: CHERNOVITE’S EMERGING MALWARE TARGETING INDUSTRIAL CONTROL SYSTEMS ----- ----- ### EXECUTIVE SUMMARY ##### PIPEDREAM is the seventh-known Industrial Control Systems (ICS)-specific malware and the fifth malware specifically developed to disrupt industrial processes. PIPEDREAM demonstrates significant adversary research and development focused on the disruption, degradation, and potentially, the destruction of industrial environments and physical processes. The Dragos-designated threat group CHERNOVITE developed PIPEDREAM, which consists of a collection of components. PIPEDREAM can impact a wide variety of Programmable Logic Controllers (PLC) and industrial software, including specific Omron and Schneider Electric PLCs, and poorly configured Open Platform Communications Unified Architecture (OPC-UA) servers. One of the Schneider Electric PLCs that PIPEDREAM targets, leverages CODESYS as its underlying system architecture. PIPEDREAM uses CODESYS as a key component to abuse due to its lack of security. CODESYS is a third-party software component used by hundreds of industrial equipment vendors. While PIPEDREAM can currently identify and target PLCs from Omron and Schneider Electric, its tooling may be used to target and attack controllers from hundreds of other vendors. In sum, PIPEDREAM can target a variety of PLCs in multiple verticals due to its versatility. Dragos assesses with high confidence that PIPEDREAM has not yet been employed for disruptive or destructive effects. This is a rare case of analyzing malicious capabilities before employment of effects against victim infrastructure, giving defenders a unique opportunity to prepare in advance. Dragos assesses with high confidence that this capability was developed by a state-sponsored adversary with the intention to leverage PIPEDREAM in future operations. ----- ### CHERNOVITE - THE THREAT GROUP BEHIND PIPEDREAM ##### Based on current observations, CHERNOVITE focuses on manipulating industrial control systems and can achieve Stage 2 of the ICS Cyber Kill Chain. As an impact-focused team, CHERNOVITE would need access facilitated by other teams to ingress into target environments. CHERNOVITE’s observable infrastructure consists of compromised, adversary-controlled command-and-control infrastructure. Their activity is expected to shift to a malicious adversary-controlled domain or webserver. CHERNOVITE is likely to use service provider infrastructure; however, there are no indications of current active infrastructure. CHERNOVITE can use target infrastructure to facilitate interactive operations and lateral movement, access enablement in an operational technology (OT) environment, and the manipulation of processes to achieve adversary intent. ----- ### WHY ARE WE PUBLISHING THIS? #### Threats to industrial infrastructure security are an extremely sensitive matter. Given the unique realities of industrial operations, it is often harder for defenders to react than for adversaries to leverage public information. The more time the community has to implement mitigations before new malicious capabilities become public, the better the chance the adverse effects from any attempted attacks will be reduced. Dragos identified and analyzed PIPEDREAM’s capabilities through our normal business, independent research, and collaboration with various partners in early 2022. Our primary focus is informing industrial asset owners and operators with as much information as possible. It is the team’s stance never to be first to communicate detailed technical insights on ICS threats and capabilities until the information is already going to become public; this is done as the information can often be weaponized and industrial control system (ICS) defenders need as much time as possible. Once information about threats and new capabilities are made public, Dragos’s approach is to follow up with detailed analysis and advice to the security community. This report was proactively written and readied for release as the information became public through other avenues. ----- ----- |Product|Manufacturer|Description|PIPEDREAM Attack Module| |---|---|---|---| ||Omron NX1P2 PLC|Compact Machine Controller Built in EtherCAT to simplify the wiring of up to eight servo systems including for single-axis position control.|BADOMEN| ||Omron NX-SL3300|Safety Controller SIL-3 rated safety controller. Integrated safety over EtherCAT.|BADOMEN| ||Omron NJ501-1300 PLC|Machine Automation Controller Native OPC-UA, EtherCAT, Ethernet/IP.|BADOMEN| ||Omron NX-ECC, NX-EIC202, NX-ECC203|EtherCAT Couplers Provides an interface between a controller and connected EtherCAT Terminals.|BADOMEN| ||Omron R88D- 1SN10F-ECT|1S Servo Drive 1 kW, , 3-400 VAC EtherCAT type servo drive.|BADOMEN| ||Omron S8VK|Power Supply DC 24V 5.0A DIN Rail Power Supply.|BADOMEN| ----- Table 1: Summary of the potentially impacted technology |Product|Manufacturer|Description|PIPEDREAM Attack Module| |---|---|---|---| ||Schneider Modicon M241 (TM241)|IIoT Native Edge Logic Controller EtherNet/IP; RS 232/RS 485 serial link; USB mini-B programming port|EVILSCHOLAR| ||Schneider Modicon M251 (TM251)|Programmable Logic Controller EtherNet/IP; CANopen (master) and SAE J1939; Serial link; USB mini-B programming port|EVILSCHOLAR| ||Schneider Modicon M221 (TM221)|Logic Controller/IO Relay PLC for hardwired architectures. EtherNet/IP; RS 232/RS 485 serial link; USB mini-B programming port|EVILSCHOLAR| ||Schneider Modicon (TM238)|Logic Controller Standalone / “all-in-one” solution in a compact unit. Ethernet Modbus/TCP, Profibus DP, DeviceNet, etc.|EVILSCHOLAR| ||Schneider Modicon M258 (TM258)|Logic Controller 42 or 66 digital I/O; Embedded serial link and Ethernet port; 4 analog inputs|EVILSCHOLAR| ||Schneider LMC058|Motion Controller Solution for axis control and positioning, including automation functions|EVILSCHOLAR| ||Schneider LMC078|Motion Controller Designed for compact machines that require a high level of performance in motion control applications. Velocity and torque control, etc.|EVILSCHOLAR EVILSCHOLAR| ----- ### PIPEDREAM SUMMARY ANALYSIS [1https://wwwmodbusorg/specs php; 2https://opcfoundationorg/about/opc-technologies/opc-ua/; 3https://wwwcodesyscom; 4https://enwikipedia org/wiki/ASRock](https://www.modbus.org/specs.php) ----- CHERNOVITE’s PIPEDREAM is a highly capable offensive ICS attack framework. It can execute 36 known ICS attack techniques (which is 46 percent of known ICS attack tactics) as measured against the MITRE ATT&CK for the ICS behavior matrix, shown in Figure 1. INHIBIT IMPAIR PRIVILEGE LATERAL COMMAND & EXECUTION PERSISTENCE EVASION DISCOVERY COLLECTION RESPONSE PROCESS IMPACT ESCALATION MOVEMENT CONTROL FUNCTION CONTROL Change Exploitation Change Network Activate Modify Default Automated Commonly Brute Force Damage to Operating for Privilege Operating Connection Firmware Program Credentials Collection Used Port I/O Property Mode Escalation Mode Enumeration Update Mode Exploitation Data from Command- Module Exploitation Network Connection Alarm Modify Denial of Hooking of Remote Information Line Interface Firmware for Evasion Sniffing Proxy Suppression Parameter Control Services Repositories Indicator Remote Detect Standard Block Execution Project File Lateral Tool Modify Removal on System Operating Application Command Denial of View through API Information Transfer Formware Host Discovery Mode Layer Protocol Message Remote System Blockk Spoof Graphical User System Program Loss of Masquerading Information I/O Image Reporting Reporting Interface Firmware Download Availability Discovery Message Message Unauthorized Wireless Remote Man in the Block Serial Loss of Hooking Valid Accounts Rootkit Command Sniffing Services Middle COM Control Message Modify Spoof Loss of Monitor Data Controller Reporting Valid Accounts Productivity Process State Destruction Tasking Message and Revenue Point & Tag Denial of Loss of Native API Identification Service Protection Device Program Scripting Restart/ Loss of Safety Upload Shutdown User Screen Manipulate Loss of View Execution Capture I/O Image Wireless Modify Alarm Manipulation Sniffing Settings of Control Manipulation Rootkit of View Theft of Service Stop Operational Information System Firmware Figure 1 - Mapping for CHERNOVITE/PIPEDREAM MITRE ATT&CK for ICS Techniques PIPEDREAM utilizes PLC implants to execute untrusted code on the PLC devices themselves beyond the view of the host-based monitoring found on Windows and Linux assets. Implants could live on PLCs for years before they are discovered, as only a firmware forensic analysis of a PLC would reveal the existence of the implant. |INITIAL ACCESS|EXECUTION|PERSISTENCE|PRIVILEGE ESCALATION|EVASION|DISCOVERY|LATERAL MOVEMENT|COLLECTION|COMMAND & CONTROL|INHIBIT RESPONSE FUNCTION|IMPAIR PROCESS CONTROL|IMPACT| |---|---|---|---|---|---|---|---|---|---|---|---| |Data Historian Compromise|Change Operating Mode|Modify Program|Exploitation for Privilege Escalation|Change Operating Mode|Network Connection Enumeration|Default Credentials|Automated Collection|Commonly Used Port|Activate Firmware Update Mode|Brute Force I/O|Damage to Property| |Drive-by Compromise|Command- Line Interface|Module Firmware|Hooking|Exploitation for Evasion|Network Sniffing|Exploitation of Remote Services|Data from Information Repositories|Connection Proxy|Alarm Suppression|Modify Parameter|Denial of Control| |Engineering Workstation Compromise|Execution through API|Project File Information||Indicator Removal on Host|Remote System Discovery|Lateral Tool Transfer|Detect Operating Mode|Standard Application Layer Protocol|Block Command Message|Modify Formware|Denial of View| |Exploit Public-Facing Application|Graphical User Interface|System Firmware||Masquerading|Remote System Information Discovery|Program Download|I/O Image||Blockk Reporting Message|Spoof Reporting Message|Loss of Availability| |Exploitation of Remote Services|Hooking|Valid Accounts||Rootkit|Wireless Sniffing|Remote Services|Man in the Middle||Block Serial COM|Unauthorized Command Message|Loss of Control| |Internet Accessible Device|Modify Controller Tasking|||Spoof Reporting Message||Valid Accounts|Monitor Process State||Data Destruction||Loss of Productivity and Revenue| |Remote Services|Native API||||||Point & Tag Identification||Denial of Service||Loss of Protection| |Replication via Removable Media|Scripting||||||Program Upload||Device Restart/ Shutdown||Loss of Safety| |Rogue Master|User Execution||||||Screen Capture||Manipulate I/O Image||Loss of View| |Spearphishing Attachment|||||||Wireless Sniffing||Modify Alarm Settings||Manipulation of Control| |Supply Chain Compromise|||||||||Rootkit||Manipulation of View| |Wireless Compromise|||||||||Service Stop||Theft of Operational Information| ||||||||||System Firmware||| ----- #### PIPEDREAM Utilities Explained There are a few key design decisions about PIPEDREAM that indicate CHERNOVITE’s development team characteristics. Both EVILSCHOLAR and BADOMEN are extensible and modular. This fact suggests that developers intend to support the tool long term. They are aware that the toolsets need to adapt to new operational requirements. In other words, they may need to be extended for new target devices. The design is comparable to common red team tools such as Metasploit and Powershell Empire. Furthermore, the tools are easy to use, which means the developers are likely aware they may need to be used by operators less knowledgeable than the developers. MOUSEHOLE provides an interactive capability for manipulating OPC-UA server nodes and the associated devices. MOUSEHOLE is akin to an upgraded CRASHOVERRIDE and is the first time Dragos has witnessed a threat group learning from another threat group, in this case, ELECTRUM’s attack. This indicates that the adversary is aware of successful attacks and is actively seeking to develop a mature capability to achieve a similar impact. The addition of DUSTTUNNEL and LAZYCARGO to PIPEDREAM indicates that CHERNOVITE is not only thinking about OT. They are also thinking about how it can achieve an end-to-end attack, starting with an IT intrusion, pivoting into OT, and executing an attack that covers ICS Kill Chain Stages 1 and 2. The breadth of knowledge required to develop these tools indicates that CHERNOVITE is highly knowledgeable of ICS protocols, devices, and how to apply this knowledge to achieve an effect. They likely have a budget for acquiring devices to test their toolset. **Given these indicators, Dragos** **assesses with high confidence** **that CHERNOVITE is highly motivated,** **skilled in software development methods,** **well versed in ICS protocols and intrusion** **techniques, and well-funded.** The following is a list of the utilities with their capabilities. It is important to note that while the adversary could use these tools together, they are not required to be deployed together. PIPEDREAM should be viewed as a toolkit rather than a holistic attack suite. **EVILSCHOLAR** A capability designed to discover, access, manipulate, and disable Schneider Electric PLCs. **BADOMEN** A remote shell capability designed to interact with Omron software and PLCs. **MOUSEHOLE** A tool for interacting with OPC-UA servers. It is designed to read and write node attribute data, enumerate the Server Namespace and associated NodeIds, and brute force credentials. **DUSTTUNNEL** A custom remote operational implant capability to perform host reconnaissance and command-andcontrol. **LAZYCARGO** A capability that drops and exploits a vulnerable ASRock driver to load an unsigned driver. ----- **Dragos Platform Detections are designed to alert on PIPEDREAM behavior** **at these points in the ICS Cyber Kill Chain** ### 01 DEVELOP Initial Communication Attempt Unauthorized Login Initial Device Connectivity ### 02 TEST File Transfer of PIPEDREAM Telnet Login Bypass ### 03 HTTP Login Bypass File Upload DELIVER File Transfer of LAZYCARGO ### 04 INSTALL/ Interrogate Windows System Get PLC Status MODIFY Read PLC Operation HTTP Encrypted Post Activate Telnet Password Brute Force Attempt ### 05 EXECUTE Scan for Devices Figure 3: ICS Cyber Kill Chain #### Suspected Deployment Scenarios The following provides an example scenario of the deployment of PIPEDREAM components, along with the possible impact based on Dragos’ analysis of PIPEDREAM malware to date. ###### PHASE 1: IT NETWORK INTRUSION CHERNOVITE could deploy DUSTTUNNEL within an enterprise network through phishing or compromised remote access. Using DUSTTUNNEL's command-and-control functions, CHERNOVITE could drop additional tools such as Mimikatz to gather credentials to access a legitimate account and gain a persistent foothold in the enterprise network. From there, DUSTTUNNEL can allow the adversary to enumerate the network to locate IT-OT DMZ and then move laterally using captured credentials. At this stage, CHERNOVITE may deploy LAZYCARGO to install a rootkit to protect the established foothold within the corporate network. ###### PHASE 2: OT ENUMERATION DUSTTUNNEL can allow CHERNOVITE to traverse to operational technology (OT) networks or jump boxes in the IT-OT demilitarized zone (DMZ). LAZYCARGO could also be deployed at this stage on operator stations/Human-Machine Interface (HMI) to install unsigned device drivers to manipulate traffic being sent between HMIs and field devices. ----- ###### PHASE 3: CONTROLLER COMPROMISE Once in the OT network, CHERNOVITE can leverage MOUSEHOLE to identify and brute force authentication to an OPC-UA server. CHERNOVITE can then enumerate devices on the OT network and see configurations, with the potential to manipulate tags and control points. Depending on the identified plant infrastructure, CHERNOVITE could deploy EVILSCHOLAR and/or BADOMEN to interact with Schneider Electric PLCs and Omron PLCs. used to pivot into protected network segments by abusing Schneider Electric controller routing behavior. This functionality would allow further enumeration of controllers to be targeted in Modbus enumeration and exploitation. ###### PHASE 5: CROWN-JEWEL OBJECTIVES Capabilities to reprogram and potentially disable safety controllers and other machine automation controllers could then be leveraged to disable emergency shutdown systems, and subsequently manipulate the operational environment to unsafe conditions. ###### PHASE 4: FURTHER COMPROMISE OF CONTROL NETWORKS EVILSCHOLAR proxy functionality could then be |SCADA & HMI|Col2|Col3| |---|---|---| |||| |||| |PPIIVVOOTT BAD UUSSIINNGG OMRON PPLLCC||| |||| **EVILSCHOLAR** SCHNEIDER PLC EXPLOITATION **BADOMEN** OMRON PLC/SIS EXPLOITATION **MOUSEHOLE** ENUMERATE PLCs AND OT NETWORKS Figure 4: CHERNOVITE scenario example **LAZYCARGO** UNSIGNED DRIVER LOADING ----- ### DEFENDING AGAINST PIPEDREAM – WHAT YOU CAN DO NOW The Dragos Platform contains several detections for PIPEDREAM activity. Dragos customers employing the most recent Knowledge Packs can find these detections in the Dragos platform under the Content tab. Managed service customers can go through OT Watch. Dragos has already searched through Neighborhood Keeper participants for activity. Asset owners who are not Dragos platform customers should focus on identifying the Tactics, Techniques, and Procedures (TTP) detailed in this report and follow the recommended actions to mitigate impacts to your environment in Table 2. Much of the guidance to the community in the form of standards, frameworks, and regulations heavily focuses on preventing cyber attacks. This means the community often puts very limited focus on detection and response. Given the type of threat, it is imperative to be able to detect and respond instead of simply attempting to prevent access. |Action|Target| |---|---| |Change default credentials|Where feasible, in conjunction with operations and site personnel for Schneider Electric TM2xx series PLCs: Beginning with firmware 5.0, the devices use default credentials' Administrator’/’Administrator', and these should be changed to a complex password using the EcoStruxure software.| |Restrict access to UDP/1740-1743, TCP/1105, and TCP/11740.|For all Schneider Electric TM2xx series PLCs| |Restrict access to TCP/11740.|For non-Schneider PLCs known to communicate with this port from the engineering workstation| |Disable the Schneider NetManage discovery service.|In conjunction with operations and site personnel, disable Schneider NetManage discovery service, as it is used by CHERNOVITE to discover PLCs (see VA-2019-02).| |Monitor affected PLCs for new outbound connections.|Look for communications to other PLCs on the network, on: UDP/1740-1743, TCP/1105, and TCP/11740.| |Validate the engineering workstation software - EcoStruxure Machine Expert.|Remove unnecessary software. If possible, apply application allow listing software on the workstation. Restrict the workstation from making outbound network connections, especially to Internet services.| ----- #### Omron Technology Mitigations Table 3: Omron Technology Mitigations **Action** **Target** Restrict access to TCP/80, For all Omron PLCs. Only allow EWS systems to communicate on these ports. TCP/9600, and UDP/9600 Validate the engineering Remove unnecessary software. If possible, apply application allow listing workstation software - Omron software on the workstation. Restrict the workstation from making outbound Sysmac/CX-One/NX IO network connections, especially to Internet services. Configurator #### OPC-UA Mitigations Table 4: OPC-UA Mitigations |Action|Target| |---|---| |Restrict access to TCP/80, TCP/9600, and UDP/9600|For all Omron PLCs. Only allow EWS systems to communicate on these ports.| |Validate the engineering workstation software - Omron Sysmac/CX-One/NX IO Confgi urator|Remove unnecessary software. If possible, apply application allow listing software on the workstation. Restrict the workstation from making outbound network connections, especially to Internet services.| |Action|Target| |---|---| |Enable OPC-UA security|Ensure OPC-UA security is correctly configured with application authentication enabled and explicit trust lists. Ensure the certificate private keys and user passwords are stored securely. Ensure mDNS (which actively broadcasts the location of OPC-UA servers) is disabled on all machines. ICS operators can manage the security configuration for their OPC-UA devices using their engineering workstation software (in most cases). Using "sign-only" security mode with OPC-UA is optimal for ICS environments that leverage network monitoring solutions (like the Dragos Platform). Sign- only security mode sends messages unencrypted but with an authentication code that allows receivers to be sure the message came from a trusted sender. This protects against tools like MOUSEHOLE that send unauthorized messages to OPC-UA clients and servers while allowing the packets to be inspected by network security devices. Specific recommendations for OPC-UA security best practices can be found on the OPC-UA foundation’s website: https://opcfoundation.org/UA/Security/BestPractices.pdf| ----- #### MITRE ATT&CK for ICS Techniques In addition, focus detection and monitoring efforts on the TTPs outlined in this document, including the following: Table 5: MITRE ATT&CK for ICS Technologies |Activity|MITRE ATT&CK for ICS Technique| |---|---| |File Transfer of PIPEDREAM|T1544 Remote File Copy; T1105 Ingress Tool Transfer| |PIPEDREAM Execution|T1059 Command and Scripting Interpreter| |PIPEDREAM Interrogate Windows System|T1047 Windows Management Instrumentation| |BADOMEN Telnet Login Bypass|T1552.001 Unsecured Credentials: Credentials in Files| |BADOMEN HTTP Login Bypass|T1552.001 Unsecured Credentials: Credentials in Files| |BADOMEN Get PLC Status|T0868 Detect Operating Mode| |BADOMEN PLC Read Operation|T0888 Remote System Information Discovery| |BADOMEN HTTP Encrypted Post|T1573 Encrypted Channel| |BADOMEN Activate Telnet|T1021 Remote Services| |BADOMEN File Upload|T1544 Remote File Copy| |EVILSCHOLAR Password Brute Force Attempt|T1110 Brute Force| |EVILSCHOLAR Denial of Service Attempt|T0814 Denial of Service| |EVILSCHOLAR Initial Communication Attempt|T0869 Standard Application Layer Protocol| |EVILSCHOLAR Unauthorized Login|T1078 Valid Accounts| |File Transfer of LAZYCARGO|T1544 Remote File Copy| |MOUSEHOLE Scan for Devices|T1046 Network Service Scanning| |MOUSEHOLE Initial Device Connectivity|T0869 Standard Application Layer Protocol| ----- #### OT Best Practices ###### MONITOR EAST-WEST ICS NETWORKS WITH ICS PROTOCOL AWARE TECHNOLOGIES Perform network traffic monitoring with a focus on East-West communications instead of simply NorthSouth (ingress/egress) communications. PIPEDREAM’s ability to move from Engineering Workstation to PLC and then PLC to PLC means that simply monitoring North-South communications or putting emphasis on segregation will be insufficient. Specifically look for modifications to PLCs occurring outside of maintenance periods such as the changing of logic using native ICS protocols. ###### PLC NETWORK TELEMETRY ANALYSIS Monitor for unusual interactions with PLCs from non-standard workstations or accounts. ###### ISOLATE MISSION CRITICAL SKID SYSTEMS Consider implementing hardwired I/O between critical skid systems and distributed control systems I/O in place of direct communications if feasible. ###### NETWORK ISOLATION OF SAFETY SYSTEMS Ensure network isolation for safety system components, monitor safety system networks for new connections or devices, and verify all configuration changes are compliant with change management procedures. #### Long-Term Readiness ###### ICS-FOCUSED INCIDENT RESPONSE PLAN Create and update an ICS-focused Incident Response (IR) plan with accompanying Standard Operating Procedures (SOP) and Emergency Operating Procedures (EOP) for operating with a hampered or degraded control system. Conduct a table top exercise focused on CHERNOVITE’s ICS Cyber Kill Chain with an emphasis on PIPEDREAM; use this opportunity to identify process and collection gaps that could hinder the detection and response efforts. ###### SPARE PARTS INVENTORY Create and update a spare parts inventory for critical control system components, including hardware, software, firmware, configuration backups, and licensing information. Develop plans and procedures for sourcing and procurement of critical control system components. Consider the implementation of cold backups for rapid replacement of ICS level one devices. ----- ### FREQUENTLY ASKED QUESTIONS **If I do not have Schneider Electric or Omron in** environment, or validate that the system has **my network, should I care about PIPEDREAM?** not been modified, could we? Yes, the capabilities are further reaching than - If the processes that use these devices Schneider Electric or Omron vendors. CODESYS or protocols are disrupted, is there a protocol is used in hundreds of controllers far cybersecurity component in place to beyond Schneider Electric and Omron. determine root cause analysis and if an attack has occurred? Additionally, MOUSEHOLE targets and compromises OPC-UA servers. - Do we have an incident response plan that factors in the loss of any of these devices? OPC is an interoperability standard for the secure What monitoring do we have in place to exchange of industrial automation data. It is ensure it is not impacted? designed to be platform-agnostic so devices from different vendors can exchange information. [2https://wwwmotioncontroltipscom/what-is-opc-ua-and-how-does-it-compare-with-industrial-ethernet/](https://www.motioncontroltips.com/what-is-opc-ua-and-how-does-it-compare-with-industrial-ethernet/) ----- Multiple Industrial Ethernet (IE) protocols in manufacturing processes and plants — such as EtherNet/IP, PROFINET, or EtherCAT — are used across different networks to meet specific topology requirements and communication speeds or latency guarantees. Although these communication protocols are open, they are often incompatible, resulting in fragmented networks that cannot “speak” to each other. OPC-UA was developed to solve this problem by allowing industrial devices operating with different protocols and on different platforms (Windows, Mac, or Linux, for example) to communicate with each other. OPC-UA goes beyond Industrial Ethernet in reach, including devices from the lowest level of the automation pyramid — such as field devices that deal with real-world data, such as sensors, actuators, and motors — to the highest levels, such as Supervisory Control and Data Acquisition (SCADA), Manufacturing Execution Systems (MES), and Enterprise Resource Planning (ERP) systems, as well as to the cloud.[1] **What’s the attribution?** Dragos does not make assessments about attribution. It is Dragos’s position that what is valuable to a significant majority of defenders is understanding the “what and how, not who.” Additionally, given the unique geopolitical nature of malicious capabilities and operations targeting critical national infrastructure, it could be disruptive to security efforts to focus on attribution. **What could have the original equipment** **manufacturers done differently?** The original equipment manufacturers (OEM)— Schneider Electric and Omron— were targets but did not do anything wrong. Each time malware families target ICS, conversations emerge about the OEM. However, product security is not the same thing as ICS security. CHERNOVITE takes advantage of the native functionality available in the industrial environment and does not rely on vulnerabilities in the ICS equipment to achieve its operations. Any focus on the OEMs is misplaced; based on the Dragos analysis, it is likely that the adversary will develop modules against numerous equipment vendors. 1 Source: https://wwwmotioncontroltipscom/what-is-opc-ua-and-how-does-it-compare-with-industrial-ethernet/ ----- # THANK YOU ###### ABOUT DRAGOS, INC. ###### OUR TECHNOLOGY, ###### INTELLIGENCE FOR ###### TO LEARN MORE ###### PLEASE VISIT -----