Anybody listening? Another report of a cyber attack on Industrial Automation and Control Systems.

Absoluti klausa (absolute hearing), oil on cardboard 1991, Valentinas Antanavičius

“Everybody talks, nobody listens. Good listeners are as rare as white crows” – Helen Keller

Wired[1] cites a Dragos report[2] on a cyber-attack on ICS with affect on well-being of society. 

The attack was performed using the MODBUS protocol[3] and was able to manipulate ICS devices (ENCON PLC) to cause heating systems to fail in 600 buildings this past January in Lviv, Ukraine.  Sources are Ukrainian city officials, utility, and security services.  Several requests for additional comment made by Wired were not answered.

As a follow on an individual is demonstrating how he used SHODAN to locate 30 ENCON devices found in Romania, Ukraine and Lithuania and was able to issue some Modbus commands.  Wired also names a Lithuanian company as one of the suppliers of control devices to Ukraine:

 “malware was used to target ENCO control devices—Modbus-enabled industrial monitoring tools sold by the Lithuanian firm Axis Industries—and change their temperature outputs to turn off the flow of hot water “   

Some take-aways for me:

  1. This is another of the brief glimpses we have seen of what is going on below the cyberg[4].
  2. PLC’s are surely devices of interest by those seeking to disrupt critical infrastructure.
  3. Security of the supply chain continues to be a serious issue that manufacturers and suppliers need to take note of.
  4. Modbus which is a tried and true protocol with little or no cybersecurity continues to be widely applied in ICS environments. There is even an organisation that is promoting it[5].
  5. The implications of Project Shine still have not sunken in that far in the asset owner’s world.
  6. If an individual researcher is using SHODAN to demonstrate success at finding ICS devices, then one must wonder what the state supported cyber samurai are doing.
  7. Do not fully agree with one of Drago’s conclusions that “ this threat underscores the urgent need for ICS network visibility and monitoring of Modbus TCP traffic”  if that means providing cybersecurity analysts located in the office IT side with more  access to control networks .

Finally those involved in offense continue to be ahead of the policy makers trying to defend critical infrastructure who in one national cyber strategy chose to name “baby monitors” and “personal fitness devices” without even thinking about mentioning PLCs[6].


[1] https://www.wired.com/story/russia-ukraine-frostygoop-malware-heating-utility/

[2] https://hub.dragos.com/report/frostygoop-ics-malware-impacting-operational-technology

[3] https://modbus.org/faq.php

[4] http://cyberg.us/

[5] https://modbus.org/

[6] http://scadamag.infracritical.com/index.php/2023/03/15/impressions-of-the-u-s-national-cybersecurity-strategy-of-2023/

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is member of ISA 99 Workgroup 16 on Incident Management and Workgroup 14 on security profiles for substations.

Related posts