Pipedream / Incontroller
What is Pipedream / Incontroller?
Pipedream / IncontrollerA modular ICS-attack toolkit disclosed by U.S. CISA, Dragos, and Mandiant in April 2022 — attributed by some to a Russian state actor — capable of discovering and disrupting Schneider Electric, OMRON, and OPC UA-based industrial controllers.
Pipedream (Dragos) — also called Incontroller (Mandiant) — is a custom ICS attack framework disclosed in a U.S. CISA / DOE / NSA / FBI joint advisory in April 2022. Unlike earlier targeted ICS malware (Stuxnet, Industroyer, Triton) that hit a single victim, Pipedream is a modular toolset designed to enumerate and manipulate large families of industrial controllers — Schneider Electric Modicon PLCs, OMRON Sysmac NEX PLCs, and any OPC UA server — for reconnaissance, configuration change, denial of service, and selective disruption. Its discovery as a fully built capability before observed deployment ('left of boom' in ICS terms) led Dragos to publicly attribute it to a state-aligned actor they track as CHERNOVITE, widely reported as Russia-linked. Pipedream tooling can scan engineering networks for target devices, brute-force credentials, modify ladder logic, disable safety systems, and selectively crash controllers. Defenses focus on robust IT/OT segmentation, removal of internet-exposed engineering interfaces, signed-firmware enforcement, and OT-specific NDR (Dragos Platform, Claroty xDome, Nozomi Guardian) tuned for the framework's documented IOCs.
● Examples
- 01
A Pipedream module enumerates Schneider Modicon PLCs on an engineering network, reads ladder logic, and stages selective writes to disable safety interlocks.
- 02
An OT defender rules out Pipedream-like access by removing direct internet-exposed Modbus/OPC UA endpoints and putting engineering workstations behind a jump host with phishing-resistant MFA.
● Frequently asked questions
What is Pipedream / Incontroller?
A modular ICS-attack toolkit disclosed by U.S. CISA, Dragos, and Mandiant in April 2022 — attributed by some to a Russian state actor — capable of discovering and disrupting Schneider Electric, OMRON, and OPC UA-based industrial controllers. It belongs to the OT / ICS / IoT category of cybersecurity.
What does Pipedream / Incontroller mean?
A modular ICS-attack toolkit disclosed by U.S. CISA, Dragos, and Mandiant in April 2022 — attributed by some to a Russian state actor — capable of discovering and disrupting Schneider Electric, OMRON, and OPC UA-based industrial controllers.
How does Pipedream / Incontroller work?
Pipedream (Dragos) — also called Incontroller (Mandiant) — is a custom ICS attack framework disclosed in a U.S. CISA / DOE / NSA / FBI joint advisory in April 2022. Unlike earlier targeted ICS malware (Stuxnet, Industroyer, Triton) that hit a single victim, Pipedream is a modular toolset designed to enumerate and manipulate large families of industrial controllers — Schneider Electric Modicon PLCs, OMRON Sysmac NEX PLCs, and any OPC UA server — for reconnaissance, configuration change, denial of service, and selective disruption. Its discovery as a fully built capability before observed deployment ('left of boom' in ICS terms) led Dragos to publicly attribute it to a state-aligned actor they track as CHERNOVITE, widely reported as Russia-linked. Pipedream tooling can scan engineering networks for target devices, brute-force credentials, modify ladder logic, disable safety systems, and selectively crash controllers. Defenses focus on robust IT/OT segmentation, removal of internet-exposed engineering interfaces, signed-firmware enforcement, and OT-specific NDR (Dragos Platform, Claroty xDome, Nozomi Guardian) tuned for the framework's documented IOCs.
How do you defend against Pipedream / Incontroller?
Defences for Pipedream / Incontroller typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Pipedream / Incontroller?
Common alternative names include: Pipedream, Incontroller, CHERNOVITE toolkit.
● Related terms
- ot-iot№ 587
Industrial Control System (ICS)
An umbrella term for systems that automate and supervise industrial processes, including SCADA, DCS, PLCs, RTUs, and safety controllers.
- ot-iot№ 1083
SCADA
Supervisory Control and Data Acquisition systems that gather telemetry from remote field devices and let operators monitor and command large industrial processes.
- ot-iot№ 1229
Stuxnet
A highly sophisticated 2010 worm that sabotaged Iran's uranium-enrichment centrifuges by reprogramming Siemens PLCs, widely attributed to the United States and Israel.
- ot-iot№ 588
Industroyer / CrashOverride
Modular ICS malware used in the 2016 Ukraine power-grid attack and updated as Industroyer2 in 2022, capable of speaking native grid protocols to trip substations.
- ot-iot№ 1297
TRITON / TRISIS
Malware discovered in 2017 that targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant, attributed to a Russia-linked actor.
- ot-iot№ 850
OPC UA
OPC Unified Architecture, a service-oriented industrial protocol with built-in authentication and encryption used to exchange semantic data across OT and IT systems.