ICS-CERT reports virus infections at US power utilities
Contributed by: Email on 01/14/2013 03:02 PM [ Comments ]
In its current ICS-CERT MonitorPDF, the US Computer Emergency Response Team (US-CERT) reports that two power utilities in the US suffered virus infections in the last quarter of 2012. In both cases, industrial control systems were infected via USB flash drives. The malware caused a power generation plant to be shut down for several weeks.
In the first incident, an employee who performed routine maintenance on control systems noticed that the USB drive he was using appeared to malfunction. When members of the IT department became involved and used another system with up-to-date anti-virus software to check the USB drive, the software apparently produced three positive hits. One of the finds was reported to be "linked to known sophisticated malware". The description fits the Stuxnet worm that had sabotaged industrial sites in Iran, including a power generation utility in Hormozgan province; however, the report doesn't specify the exact nature of the malware. The afflicted power generation utility eventually notified the US-CERT's Industrial Control System-CERT (ICS-CERT), which also removed the malware from infected engineering workstations. The ICS-CERT said that cleaning up the workstations required particular delicacy because no backups existed, and because a potential "failed cleanup would have significantly impaired their operations."
In the second incident, machines at a power generation utility were infected via the USB drive of a third-party technician who had reportedly been unaware of the malware. In this case, the ICS-CERT considers the disruption to the devices to have been caused by "crimeware". Several weeks passed before the power utility could return to service.
The ICS-CERT has investigated the susceptibility of industrial plants to attacks from the internet for quite some time. For example, the latest Monitor mentions Project SHINE (SHodan INtelligence Extraction), which has existed for a while and uses the freely accessible Shodan search engine to establish numbers of unprotected devices with SCADA and other industrial control systems. The researchers noted that they have already found more than 500,000 potentially vulnerable devices that are accessible via the internet. With more in-depth analysis, they said that they could reduce the number in the US to 7,200 vulnerable machines. Project SHINE has issued warnings to more than 100 other countries where the project has detected vulnerable devices.
In the first incident, an employee who performed routine maintenance on control systems noticed that the USB drive he was using appeared to malfunction. When members of the IT department became involved and used another system with up-to-date anti-virus software to check the USB drive, the software apparently produced three positive hits. One of the finds was reported to be "linked to known sophisticated malware". The description fits the Stuxnet worm that had sabotaged industrial sites in Iran, including a power generation utility in Hormozgan province; however, the report doesn't specify the exact nature of the malware. The afflicted power generation utility eventually notified the US-CERT's Industrial Control System-CERT (ICS-CERT), which also removed the malware from infected engineering workstations. The ICS-CERT said that cleaning up the workstations required particular delicacy because no backups existed, and because a potential "failed cleanup would have significantly impaired their operations."
In the second incident, machines at a power generation utility were infected via the USB drive of a third-party technician who had reportedly been unaware of the malware. In this case, the ICS-CERT considers the disruption to the devices to have been caused by "crimeware". Several weeks passed before the power utility could return to service.
The ICS-CERT has investigated the susceptibility of industrial plants to attacks from the internet for quite some time. For example, the latest Monitor mentions Project SHINE (SHodan INtelligence Extraction), which has existed for a while and uses the freely accessible Shodan search engine to establish numbers of unprotected devices with SCADA and other industrial control systems. The researchers noted that they have already found more than 500,000 potentially vulnerable devices that are accessible via the internet. With more in-depth analysis, they said that they could reduce the number in the US to 7,200 vulnerable machines. Project SHINE has issued warnings to more than 100 other countries where the project has detected vulnerable devices.
Comments