During the past three months, unnamed malware infected two power plants' control systems using unprotected USB drives as an attack vector. At both companies, a lack of basic security controls made it much easier for the malicious code to reach critical networks.
one instance, according to a recent report from the Department of
Homeland Security's Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT), malware was discovered after a power generation plant
employee asked IT staff to look into a malfunctioning USB drive he used
to back up control systems configurations.
That discovery prompted
a more thorough on-site inspection that revealed "a handful of machines
that likely had contact with the tainted USB drive." This included two
of 13 workstations in an engineering bay tied to critical systems.
"Detailed analysis was conducted as these workstations had no backups,
and an ineffective or failed cleanup would have significantly impaired
their operations," according to the report.
Analysts noted the
need for operators of the nation's critical infrastructure networks to
follow best practices. In recent years security researchers have tried
to draw more attention to SCADA and ICS security (or the lack thereof)
as a way of pushing companies, usually privately owned, to invest more
resources in protecting their networks from cybercriminal activity.
the implementation of an antivirus solution presents some challenges in
a control system environment, it could have been effective in
identifying both the common and the sophisticated malware discovered on
the USB drive and the engineering workstations," they wrote in this
report. The ICS-CERT team also recommended cleaning USB drives after
each use or using other media, such as write-once CDs, to help reduce
the risk of malware contamination.
"The organization also identified
during the course of the investigation that it had no backups for the
two engineering workstations. Those workstations were vital to the
facility operation and, if lost, damaged, or inoperable, could have a
significant operational impact. The recommended practice is to maintain a
system of 'hot spares' or other effective backups for all critical
In a separate incident in October, ISC-CERT
investigators discovered 10 computers linked to another power company's
turbine control system also were infected with a virus via a USB drive
during a software update installation. "Unknown to the technician, the
USB-drive was infected with crimeware. The infection resulted in
downtime for the impacted systems and delayed the plant restart by
approximately 3 weeks."