OPSWAT launches new malware analysis capabilities for ICS, OT networks

Critical infrastructure cybersecurity vendor OPSWAT has announced new malware analysis capabilities for IT and operational technology (OT). Revealed at the Black Hat USA 2022 Conference, enhancements include OPSWAT Sandbox for OT with detection of malicious communications on OT network protocols and support for open-source third-party tools in OPSWAT’s MetaDefender Malware Analyzer platform, the firm stated. The release comes amid increasing cyberthreats surrounding OT networks in industrial control systems (ICS).

Enhancements map malware to the MITRE ATT&CK ICS framework

In a press release, OPSWAT noted that, with rising threats and growing concerns around propagation into OT networks within critical infrastructure environments, threat intelligence for both the IT and OT sides of businesses is essential in providing the necessary data and analysis capabilities to the entire organization. It has therefore enhanced OPSWAT MetaDefender Malware Analyzer to map malware detected via OPSWAT Sandbox to the MITRE ATT&CK Industrial Control Systems framework, enabling malware analysis teams to quickly understand malware tactics, techniques, and procedures (TTPs) specifically targeting OT environments, it said.

As an automation and orchestration platform, MetaDefender Malware Analyzer orchestrates the process of receiving suspicious files and submitting them to different tools, aggregating results, before submitting those results to threat intelligence platforms, OPSWAT stated. “Our malware analysis solution provides actionable IOCs and in-depth analysis using static and dynamic tools to enable faster and more targeted response to threats,” Itay Bochner, director of malware analysis at OPSWAT, tells CSO. “This is one of the first malware analysis solutions in the market with specific functionality for analyzing and detecting malware targeting ICS with the addition of ICS-specific Yara rule sets and MITRE ATT&CK ICS framework mapping,” he says.

ICS, OT environments under increasing threat from attack

OT networks and ICS are facing growing cyberthreats and risks. A recent report commissioned by cloud security company Barracuda highlighted an uptick in major attacks on industrial IoT and OT systems while efforts to secure these systems lag behind. The firm surveyed 800 senior IT and security officers responsible for industrial systems, discovering that 94% of respondents experienced some form of attack on their industrial IoT or OT systems in the last 12 months. What’s more, 93% of those polled admitted that their organization had failed in their IIoT/OT security projects, often due to a lack of skills and tools. As many as 89% of respondents also said they are very or fairly concerned about nation-state-backed attacks on industrial systems linked to geopolitical tensions surrounding the Russia-Ukraine war.

In April this year, the U.S. Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI released a joint Cybersecurity Advisory to warn that advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple ICS/supervisory control and data acquisition (SCADA) devices. The CSA pointed to three categories of devices vulnerable to the Incontroller malware that can interfere with ICS operations: Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

Speaking to CSO in April, Rob Caldwell, director of ICS and OT at Mandiant, said the evolution of ICS malware to become more complex and dangerous is “just evidence that OT attackers are gaining more skill, understanding, and function. Just like they’ve done in the IT space, as time goes on their tools get more sophisticated.”