Summary:
Recent research by Forescout's Vedere Labs sheds light on the mechanisms driving the rise of malware targeting operational technology and industrial control systems. Engineering workstations, which operate at Levels 2 and 3 of the Purdue model, have become a significant target due to their dual role in IT and OT environments. These systems often use specialized software, such as Siemens TIA Portal or Mitsubishi GX Works, to program and manage field devices. However, their connectivity to both IT networks and field-level devices creates a critical attack surface that adversaries increasingly exploit.

Malware infections in OT environments are facilitated through several vectors. In two cases, the Ramnit worm infected Mitsubishi engineering workstations by appending malicious code to legitimate engineering software executables, underscoring the risks of using outdated or unverified software. Additionally, automated botnets like Aisuru, Kaiten, and Gafgyt exploit internet-exposed OT devices, often leveraging default credentials to gain access. These botnets can also wipe sensitive directories to disrupt operations or obscure their presence.

Security Officer Comments:
A notable discovery was Chaya_003, a new malware strain designed specifically for OT environments. This malware terminates critical Siemens engineering processes, including TIA Portal, by performing process reconnaissance using the CreateToolhelp32Snapshot API. It masquerades as legitimate processes, to evade detection. Chaya_003 employs advanced techniques for command-and-control, using Discord webhooks to relay information and issue commands. Its use of legitimate C2 services complicates detection and demonstrates the increasing sophistication of OT-specific threats.


Suggested Corrections:

Harden Engineering Workstations

• Identify all workstations connected to your OT network
• Assess their software versions, open ports, credentials, and endpoint protection software
• Assess their software versions, open ports, credentials, and endpoint protection software
• Assess their software versions, open ports, credentials, and endpoint protection software
• Ensure all software is updated to the latest versions and make sure that endpoint protection solutions are enabled and up to date.

Segment the Network

• Avoid directly exposing engineering workstations to the internet
• Properly segment networks to isolate IT, IoT and OT devices
• Limit network connections to only authorized management and engineering workstations, or among unmanaged devices requiring communication.

Monitor for Threats

• Deploy monitoring solutions that can detect malicious indicators, such as known IT malware.
• Identify suspicious behaviors, such as the termination of sensitive processes, across both IT and OT systems.

Link(s):
https://www.infosecurity-magazine.com/news/malware-engineering-ics/

https://www.forescout.com/blog/ics-...ental-malware-can-kill-engineering-processes/