Cybersecurity & Infrastructure Security Agency (CISA) Alert AA22-103A (aka PIPEDREAM) and Software Toolbox OPC UA Server Products

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have identified certain Advanced Persistent Threat (APT) tools that can be used by bad actors to gain access to improperly secured industrial control systems. These tool sets are referred to by names including PIPEDREAM, BADOMEN, EVILSCHOLAR, LAZYCARGO, and MOUSEHOLE and originate from a threat actor known as CHERNOVITE. Names such as INCONTROLLER, TAGRUN, CODECALL, and OMSHELL have also been used for the same tools. They include one for accessing Schneider Electric PLCs directly (EVILSCHOLAR or CODECALL), one for accessing Omron Sysmac NEX PLCs directly (BADOMEN or OMSHELL) and one for accessing improperly secured OPC UA servers to use them as means to discover the locations of PLCs (MOUSEHOLE or TAGRUN). How does this affect me?

Reference IDs

CISA: AA22-103A

Some have interpreted the report to suggest that the identified APT tools in general compromise OPC UA Servers. Although this latest round of attacks on Industrial Control Systems is very serious, the danger is to OPC UA Servers have NOT been properly secured per industry, OPC Foundation, IT, and Software Toolbox best practices for securing OPC UA servers.

Although the impacts of compromise are very serious, it is not technically accurate to say that PIPEDREAM universally compromises OPC UA servers. Full details about PIPEDREAM are available on the CISA website for Advisory # AA22-103A.

Regarding OPC UA, the CISA advisory states:

"The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA"

The OPC Foundation has also published a response regarding this security alert available here that clarifies where the risk to OPC UA servers lies from PIPEDREAM.

Users are responsible for maintaining a secure environment consistent with their company's security standards and following their company change management practices when installing and configuring software. In absence of having company standards, users should consider US NIST guidelines. This includes but is not limited to using effective credentials, securing them properly, and monitoring for compromise.

For the APTs specifically targeting Schneider Electric (EVILSCHOLAR) and Omron PLCs (BADOMEN), those tools are designed to directly access the PLCs and do NOT use any Software Toolbox drivers or solutions for that access. Users of those PLCs specifically should follow the recommendations in the CISA advisory to secure your PLCs from vulnerability to these tools.

What OPC UA Server users are at risk?

It is important to understand that this vulnerability only potentially affects OPC UA Server solutions that:

Have their OPC UA interface enabled (whether they're actively using it or not). If NOT using OPC UA, you should keep the OPC UA server interface disabled as a best practice as you should for any unused interface.
Are configured to allow Anonymous log-in (i.e. are not configured to require user authentication either via username/password or certificate, where supported).
Have configured user credentials that are not being properly secured and regularly changed by individuals in the organization (i.e. user credentials are potentially accessible to third party bad actors and aren't being changed regularly)
Have an OPC UA endpoint configured and enabled that is accessible externally to the local network and/or remote networks

If none of these conditions are true (i.e. if your OPC UA server machines are isolated from remote network access, you have Authentication enabled on your OPC UA servers and your users are properly securing and regularly changing their credentials), your OPC UA server installations should not be affected by this vulnerability. If the user changes ANY of the conditions, this statement is invalidated.

If the conditions above are true, and the server is behind a secure firewall without any allowed access to the OPC UA Server to individuals outside the company network, the attack surface is reduced but not to zero. The PIPEDREAM toolset is of particular concern because of it's ability to execute on multiple attack vectors to find weak points. Of course there is always risk from users who have physical access to the company's computers or networks with access to valid user credentials for your OPC UA Servers and thus only users who need access should be granted it and with the lowest rights required to do their job. Because of PIPEDREAM's wide reaching impact, users should not be complacent and rely on statements like "oh we are behind a firewall, we are fine, or oh we always use VPNs for remote access, we are fine".

Each customer company must assess their security risk and stance and must involve their company Cyber-security professionals to assess the risk, and we can answer questions for those parties if needed. Again, in the absence of having company standards, users should consider US NIST guidelines.

What will happen if your OPC UA Server is attacked?

If a bad actor gains access to your OPC UA Server, they will have access to any and all functions that a normal OPC UA client application has, including but not limited to:

If left unsecured, or compromised, OPC UA servers can be used to discover control devices on the network, node ids and addresses, via the browse functions and then writing of values.
OPC UA Servers could be flooded with write requests causing them to become unresponsive, preventing visibility into processes by HMI, SCADA, MES, and other client applications
Invalid parameters could be written to OPC UA nodes/variables, compromising the operation of your automation equipment connected to the OPC UA Server
Where OPC UA driver and/or server settings are available via system tags (such as TOP Server), settings could be altered to incorrect values, interrupting communication

What should you do to manage and mitigate risk?

Each user company must assess their security risk and stance and should involve their company Cyber-security professionals to assess the risk, and we can answer questions for those parties if needed.

In general, if you are running your OPC UA clients and servers

You should have security and encryption enabled at the highest available level
Authentication should be configured with very secure passwords meeting the most stringent length and complexity requirements
If you have OPC UA interfaces turned on but not being used or plan to be used, you need to disable them.

For general recommendations and best practices for mitigating vulnerabilities and ensuring your Software Toolbox OPC UA Server installations are as secure as possible, including product specific recommendations and instructions, please refer to the following free resources.

Exploring Cybersecurity Concepts E-Book (for general security, OPC UA guidelines and Software Toolbox product specific recommendations)
TOP Server Secure Deployment Considerations Guide

You may also want to consult these EXTERNAL resources:

Security.org's "How secure is my password" checker - shows how long it would take someone to brute force break a password
CISA Advisory # AA22-103A which includes an extensive suggested list of mitigations
OPC Foundation OPC UA Security Best Practices
Dragos' Blog CHERNOVITE'S PIPEDREAM: Malware Targeting Industrial Control Systems
Mandiant’s Blog – INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems

If you have any further questions regarding this bulletin, please submit a support request.