There is an OT specific malware doing the rounds called Crashoverride/Industroyer. The malware is targeting Control systems and affects the following industrial communication protocols:
• IEC 60870-5-101 (aka IEC 101)
• IEC 60870-5-104 (aka IEC 104)
• IEC 61850
• OLE for Process Control Data Access (OPC DA)
If your Operational Technology systems make use of these protocols, it is advisable to create some visibility with the OT team to understand the risk better.
Below are some guidelines, of course beyond these guidelines some fundamental basics need to be put in place such as network segmentation, baseline creations, secure backups, etc.
• Have a clear understanding of where and how the IEC 104 and IEC 61850 protocols are used. Look for increased usage of the protocols against baselines established in the environment. Also, look for systems starting to us these protocols if they have not before and specifically try to identify systems that are generating new network flows using these protocols.
• Similarly, understand the OPC implementations and identify how the protocol is being used. It is a protocol that is pervasive across numerous sectors. OPC will appear abnormal in the CRASHOVERRIDE usage as it is being used to scan all devices on the network which would generate more traffic than usual.
• Secure backups of systems such as project logic, IED configuration files, and ICS application installers should be offline and tested.
• Prepare incident response plans for this attack and perform drills by bringing in appropriate stakeholders and personnel across engineering, operations, IT, and security. The scenario should include substation outages with the requirement to do manual operations while recovering the SCADA environment and gathering appropriate forensics.