Critical Infrastructure Security , Governance & Risk Management , Operational Technology (OT)
ICSpector Is Now on GitHub, Scans PLCs, Extracts Info and Detects Malicious Code
Microsoft has released a new open-source security tool to close gaps in threat analysis for industrial control systems and help address increased nation-state attacks on critical infrastructure.
See Also: How a Large Manufacturer Boosted Its Protection Against a New Wave of Cyberattack
The new tool, called ICSpector, is built on an open-source framework that facilitates the examination of industrial programmable logic controllers – a set of hardware and software components that are used for managing and controlling different operations within an industrial environment.
While PLCs are integral to industrial control systems and are used in water and power grid systems, analyzing them poses challenges because of a lack of adequate threat detection tools and a dearth of expertise in the sector, according to Microsoft. OT analysis often involves sorting through sensitive data collected from sensors and controllers, Microsoft said.
“One of the biggest challenges is retrieving the code running on the PLC and scanning it as part of an incident response to understand if it was tampered with because the PLCs are actively operating vital industrial process,” Microsoft said
Microsoft said the new tool, which is available on GitHub, can detect malicious modifications, extract the timestamp of the changes made to a system, and provide an overview of the execution flow of tasks within the system, the company said.
“Currently, the system supports three OT protocols: Siemens S7Comm, which is compatible with the S7-300/400 series, Rockwell RSLogix, using the Common Industrial Protocol, and Codesys V3,” the company said.
Concerns about poor OT security threat detection have been raised by other vendors including Dragos, which recently warned about the lack of adequate segmentation between OT and IT systems and the challenge it poses to threat detection. Poor multifactor authentication applied to critical OT assets also has resulted in increased hacks, the company said.
Adam Meyers, CrowdStrike’s senior vice president for intelligence, previously testified in a U.S. Senate committee hearing that internet-connected cellular connections for remote telemetry collection, especially in the water sector, for pipeline metering and billing information pose a threat from hackers (see: OT-IT Integration Raises Risk for Water Providers, Experts Say).
Nation-state hackers from Russia and China are targeting energy companies and water utilities with disruption and espionage campaigns, according to federal authorities, who warned earlier this month that U.S. critical infrastructure defenses are falling behind these adversaries (see: FBI Calls for Increased Funding to Counter Cyberthreats).
Energy companies are major targets of Russian-state-backed actors, who targeted at least 20 Ukrainian energy, water and heating industries in March. Attackers hit the water and wastewater sector with 27 publicly disclosed cyber events in the U.S. between 2006 and 2023, Dragos found.
