DHS: USB Drives Spread Malware in Control System Environment at Two Power Plants

A report by the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergence Response Team (ICS-CERT) reveals that infected USB drives spread common and sophisticated malware in the control systems at two power plants in separate incidents late last year.

In the first incident, malware was discovered when an employee asked company IT staff to inspect a USB drive used routinely to back up control system configurations within the control environment after experiencing intermittent issues with the drive’s operation, ICS-CERT says in its quarterly update report. Antivirus software produced three positive hits, one of which was linked to an unnamed virus that the ICS-CERT describes as “sophisticated malware.”

The team says that further analysis showed signs of the sophisticated malware on two engineering workstations that are “critical” to the operation of the control environment. “Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations,” it says. The remaining eleven operator stations in the control environment showed no signs of the malicious software.
 
In the second incident, which occurred in October 2012, a power company reported a virus infection in a turbine control system that affected about 10 computers on its control system network. It was later revealed that a third-party technician used a USB drive to upload software updates during a scheduled outage for equipment upgrades. “Unknown to the technician, the USB-drive was infected with crimeware. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks,” ICS-CERT reports.
 
The report also acknowledged “an increasing trend in cyber attacks targeted at energy and pipeline infrastructure around the world. ICS-CERT has been tracking threats and responding to intrusions into infrastructure such as oil and natural gas (ONG) pipelines and electric power organizations at an alarming rate. In 2012 alone, attacks against the energy sector comprised over 40% of all incidents reported to ICS-CERT. Many of these incidents targeted information pertaining to the ICS/SCADA environment, including data that could facilitate remote access and unauthorized operations.”

The DHS team recommends that owners and operators of critical infrastructure develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media. “A good backup procedure should incorporate best practices for USB usage to ensure that malicious content is not spread or inadvertently introduced, especially in critical control environments. This procedure should include cleaning the USB device before each use or the use of write-once media such as CDs or DVDs,” it says. The report also includes industry best practices for maintaining a minimal Internet facing footprint.

In addition to its quarterly reports, ICS-CERT posts alerts and advisories about the vulnerabilities of control systems supplied by multiple vendors, including systems used by power-generating companies.

Sources: POWERnews, DHS

—Gail Reitenbach, PhD, Managing Editor, and Sonal Patel, Senior Writer (@POWERmagazine)