CISA and NSA have published a lot of good resources for Cybersecurity. For example, an advanced persistent threat (APT) that capable to gain full access to multiple ICS/SCADA was discovered recently.
The tool enable the APT actors to scan for, compromise, and control affected devices once they have established access to the OT network. Here's the technical details of the APT tools for Schneider Electric devices:
- Interact via management protocols and Modbus (502/tcp)
- Identifies PLCS via multicast 27127/udp
- Brute-force using CODESYS via 1740/udp
- Conduct DoS to PLC
- Conduct a 'packet-of-death' attach to crash the PLC
- Send custom Modbus commands
Proactive mitigations against APT tools that targeting ICS/SCADA devices
- Isolate ICS/SCADA from corporate and Internet networks
- Enforce multi-factor authentication
- Prepare and exercise cyber incident plan
- Regular update of password, especially all detail passwords.
- Maintain known-good offline backup
- Implement robust log collection and retention
- Deploy Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI)
- Leverage continuous OT monitoring and alert
- Enforce principle of least privilege
Links: