Chernovite - Pipedream

I saw an article today talking about exploits specifically targeting Omron and Schneider Electric, but more generally targeting Codesys and OPC-UA.

Inductive, when you get a little more grasp on this situation, could you respond to potential vulnerability and mitigation strategies for the OPC-UA portion of this ICS hacking software?

It looks like a brute force OPC-UA attack, so perhaps if our OPC-UA connections are all using certificates and not usernames/passwords we will be less susceptible to the attacks.

Thanks for any feedback, and I’m also curious of other users’ thoughts regarding this new ICS hacking suite.

All the best,
-Rob W.

Ignition 8 is safe in its default configuration, which doesn’t allow unsecured connections, so there’s no possibility for an attacker to even attempt to establish a session unless you go in and trust the certificate.

Beyond that, you can and certainly should change the default credentials used by the server’s default user profile. If you’re still using 7.9 or prior then changing the credentials should be very high priority if your server may be accessible to an adversary, as it doesn’t have the same default security configuration nor does it have the OPC UA certificate validation and management facilities Ignition 8 does.

1 Like

Perhaps you should once again be plugging the hardening guide.

1 Like

Check out the security hardening guide! :slight_smile:

it does mention, among a bunch of other stuff, OPC UA security/certificates and recommends setting and rotating passwords.

For anyone missing the context: APT Cyber Tools Targeting ICS/SCADA Devices | CISA

1 Like

Also for a more general overview
US uncovers “Swiss Army knife” for hacking industrial control systems

I should have included a link to the story in my original post. Thanks for adding that.

I guess what I was getting at were your thoughts about specific things to check in the system or potential security blunders which would put one at risk from this specific “swiss army knife”.

It sounds like you don’t have any other recommendations aside from “make sure you don’t have user name and password OPC security validation enabled”. Is that correct?

What if one upgraded their system from 7.9 to v8.x? Would any of those 7.9 security configuration defaults or OPC UA certificate validation facilities be carried forward?

No, it's make "make sure you change the default credentials".

Everyone should upgrade to 8.x regardless. 7.9 is currently in a courtesy extension to its original EOL of Dec 2021 that will last through June 2022.

If you upgrade from 7.9 to 8.x you'll get all the certificate management stuff I'm talking about. The only change you might want to make (aside from credentials if you haven't) is to disable access via the "None" SecurityPolicy, which I think will be allowed if you're doing an upgrade from 7.9 vs a fresh install of 8.x.

1 Like

Hey @Kevin.Herron, is there an official response to this somewhere / will there be?

1 Like
1 Like

Thanks Kevin :+1: