Insights > Network Visibility + Security

How Network Segmentation Can Mitigate Pipedream Attacks on Critical Infrastructure

2022-04-27  |  5 min read 

If your air-gapped OT network dodged the SolarWinds hack, skated past the Log4J vulnerability, and avoided Okta, that’s excellent, but you should still check out PipeDream.

PipeDream, more nightmare than vain hope, is said to be capable of executing 38% of known Mitre Attack ICS techniques, and 83% of known ICS attack tactics.

Recently identified by Dragos, PipeDream is not just malware, but a customizable malware toolkit that in its current version, can operate Schneider Electric and Omron PLCs as well as a large variety of industrial PLCs and industrial software. PipeDream can attack common technologies like CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA).

Affected products include the following. (For a complete list of affected Schneider and Omron models, please see Joint CISA Cybersecurity Advisory AA22-103A:

  1. Schneider Electric Modicon and Modicon Nano PLCs
  2. Omron Sysmac NJ and NX PLCs
  3. OPC UA servers

What is PipeDream?

CISA warns that PipeDream's customizable tools allow hackers to scan for, compromise, and control affected ICS/SCADA devices on an OT network. Once inside your OT network, the tools enable: lateral movement between OT and IT networks, reconnaissance on device details, upload of malicious code, backup and restore device contents, and the ability to modify device parameters. See Joint Cybersecurity Advisory AA22-103A.

PipeDream has modules for Schneider Electric capable of:

  1. 27127 discovery scan to identify Schneider PLCs on the network
  2. Brute force attack of PLC passwords
  3. DDoS attack to prevent network communications with the affected PLC device
  4. Forced re-authentication to steal credentials
  5. Packet of Death attack to crash the PLC
  6. Transmission of custom Modbus commands to the PLC

PipeDream also has modules for Omron devices that give attackers the ability to:

  1. Scan for Omron FINS protocol
  2. Analyze HTTP responses sent from Omron devices
  3. Retrieve MAC address of Omron devices
  4. Poll Omron devices connected to the PLC
  5. Backup and Restore files to/from the PLC
  6. Upload an agent onto the PLC to allow file manipulation, packet capture, and remote execution of code

Not to be left out, PipeDream also has modules for OPC UA that can:

  1. Identify OPC UA servers
  2. Connect to OPC UA servers
  3. Read the OPC UA structure
  4. Write tag values

CISA Joint Cybersecurity Advisory AA22-103A includes a call out action box on page one titled Actions to Take Today, that includes: (1) multifactor authentication, (2) regularly scheduled ICS password changes, and (3) implementing a continuous network monitoring and alert system. Note that this section is not called Things You can Complete in a Single Day.

Advisory AA22-103A also includes a section on page 3 called Mitigation that includes more than a dozen suggestions, the first of which describes isolating ICS/SCADA systems from corporate and internet networks using strong perimeter controls, and limiting communications entering or leaving ICS/SCADA perimeters. Physical isolation is part of a larger strategy called Network Segmentation, and Network Segmentation is just one component of the robust strategy needed to defend OT and Critical Infrastructure. It’s a hot topic, but more importantly, according to Patrick Miller, CEO Ampere Industrial Security, “it’s in Executive Orders, it’s in Standards, it’s in Regulations, and the National Security Memo…”.

With all the attention our Critical Infrastructure has received since the Colonial Pipeline attack on May 7, 2021 Network Segmentation is an Action you Should Take Today.

What is Network Segmentation?

We've provided a quick overview of Network Segmentation and why it’s necessary for Critical Infrastructure (even before PipeDream). Please join me in this 6th and final video interview in the series with Patrick Miller.