PIPEDREAM Malware against Industrial Control Systems

Another nation-state malware, Russian in origin:

In the early stages of the war in Ukraine in 2022, PIPEDREAM, a known malware was quietly on the brink of wiping out a handful of critical U.S. electric and liquid natural gas sites. PIPEDREAM is an attack toolkit with unmatched and unprecedented capabilities developed for use against industrial control systems (ICSs).

The malware was built to manipulate the network communication protocols used by programmable logic controllers (PLCs) leveraged by two critical producers of PLCs for ICSs within the critical infrastructure sector, Schneider Electric and OMRON.

CISA advisory. Wired article.

Posted on May 9, 2023 at 11:20 AM5 Comments


Wannabe tecguy May 9, 2023 8:06 PM

I presume they are able to do this because of systems connected to the internet that shouldn’t be.

Andrew N Johnson May 9, 2023 8:49 PM

“Shouldn’t be” is impractical in today’s world. When the nearest qualified technician is many hours travel away from an installation you really don’t want to have to send people to a remote site just to make an adjustment that could be done from a central control room in a few minutes. The issue is in how secure the communications channels should be, but the internet is going to be involved somewhere to keep down costs, reduce the MTTR when there is a problem, and to provide remote monitoring to allow for proactive maintenance.

lurker May 9, 2023 9:33 PM

@Andrew N Johnson
“… the internet is going to be involved somewhere to keep down costs …”

I hear an echo from nearly 40 years ago about “those university freeloaders on the DARPAnet … ”

If it’s critical infrastructure then the cost of running it includes the cost of keeping it secure. But we’re already on the back foot, because the PLC targets were designed and built back in the day when “who would have thought anyone would attack this over the net?” So the very control protocols are wide open, all the more reason to keep the communication channels out of reach of stinky fingers.

Clive Robinson May 10, 2023 1:41 AM

@ ALL,

Re : All infrastructure is vulnerable and we know ot but ignore it.

“PIPEDREAM is an attack toolkit with unmatched and unprecedented capabilities developed for use against industrial control systems (ICSs).”

Hmm really is “Stuxnet” so easily forgotten in the ICTsec industry?

The thing is any engineer working on the design of such systems will tell you why “security is not built in”.

And that is the same reason “Telnet put user passwords in plaintext on the network” many decades before…

In the ICTsec industry learning from previous failings, realy does not appear to happen…

A read through this blog using the search term “SCADA” should pull up enough information to tell you just about everything you need to know to start developing your own Stuxnet or PIPEDREAM.

Back well into the last century before our host had started this blog, some of us worked in both the petro-chem and Off Shore industries designing both SCADA and MTU/RTU systems.

Back then the “comms links” were supposadly secure because of the difficulty of getting to them, thus plaintext was “OK”…

We used to call such nonsense in the early InfoSec industry “security by obscurity”…

When our host started his “Cryptogram” news letter, he was told that SCADA systems were highly vulnerable, but at the time appeared not to realise the potential for such attacks. Which given it was a highly specialised apparently non security technology related domain was understandable.

Slowly the world is waking up to this problem the hard way. But quite a bit of very insecure infrastructure infrastructure can be “in use” for fifty years or half a century…

Despite many warning for a quater of a century or more, people still do not realise the insidious nature of insecure communications that is “reachable”.

Perhaps finding your Health Care provider wants to implant totally insecure electronics in you because that’s what they all are “insecure by desigb” might cause you to pause and think about Communications Security -v- Security by obscurity. Oh and also why ICTsec appears to never learn lessons from it’s history all of which are certainly in living memeory by people still working in the field…

So PIPEDREAM was totally and utterly predictable, with earlier POC attacks even having made big splashes on MSM news… Yet here we are and it has happened… I guess there is just one thing to say,

Unless the ICTsec Industry stops sleepwalking around this will happen again within the next decade.

Anyone want to place a small wager against that?

Matej Kovacic May 10, 2023 4:22 AM

Similar attack has been described in the book At the Abyss: An Insider’s History of the Cold War by Thomas C. Reed, however it is not entirely clear whether it really happened. Reed stated that the United States discovered that the Soviet Union was stealing US technology for running gas pipelines (through Canada company), so they planted a malware to a gas pipeline control software. This software has been deployed on a Trans-Siberian gas pipeline, where it created malfunctioning of the pumps, leading to a gas explosion. However, while this seems possible, these statements have not been confirmed by US intelligence agencies and was later even denied by KGB veteran Vasily Pchelintsev, who said that gas explosion was caused by poor construction rather than sabotage.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.