During the past three months, unnamed malware infected two power plants’ control systems using unprotected USB drives as an attack vector. At both companies, a lack of basic security controls made it much easier for the malicious code to reach critical networks.
In one instance, according to a recent report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), malware was discovered after a power generation plant employee asked IT staff to look into a malfunctioning USB drive he used to back up control systems configurations.
A scan with updated antivirus software turned up three instances of malware, two common and one considered sophisticated.
That discovery prompted a more thorough on-site inspection that revealed “a handful of machines that likely had contact with the tainted USB drive.” This included two of 13 workstations in an engineering bay tied to critical systems.
“Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations,” according to the report.
Analysts noted the need for operators of the nation’s critical infrastructure networks to follow best practices. In recent years security researchers have tried to draw more attention to SCADA and ICS security (or the lack thereof) as a way of pushing companies, usually privately owned, to invest more resources in protecting their networks from cybercriminal activity.
“While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations,” they wrote in this report.
The ICS-CERT team also recommended cleaning USB drives after each use or using other media, such as write-once CDs, to help reduce the risk of malware contamination.
“The organization also identified during the course of the investigation that it had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact. The recommended practice is to maintain a system of ‘hot spares’ or other effective backups for all critical systems.”
In a separate incident in October, ISC-CERT investigators discovered 10 computers linked to another power company’s turbine
control system also were infected with a virus via a USB drive during a software update installation.
“Unknown to the technician, the USB-drive was infected with crimeware. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks.”