The U.S. Department of Homeland Security (DHS) has issued another alert warning of an “ongoing sophisticated malware campaign” targeting human-machine interface (HMI) software that is used for grid control and other energy systems.
The alert, released on Oct. 29, warned that DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has identified a strain of malware that “has compromised numerous industrial control systems (ICSs) environments” and that the campaign has been ongoing since at least 2011.
The main target is believed to be GE’s Cimplicity HMI software. According to ICS-CERT, “Analysis of victim system artifacts has determined that the actors have been exploiting a vulnerability in GE’s Cimplicity HMI product since at least January 2012.” GE has released a patch and urges users to update to the most recent software version if possible. However, the malware has also targeted HMI products from other vendors.
This particular campaign appears to be different from the one that prompted the last major alert this past summer, when a group of hackers thought to be based in Russia were identified as attacking targets across the energy sector.
According to a report in E&E EnergyWire, this campaign has alarmed ICS-CERT officials enough to schedule a series of confidential briefings at FBI field offices this fall to spread the word about the threat. Although attacks on ICSs remain rare, the potential for damage and disruption is large enough to merit attention. This particular attack is notable because it appears directly targeted at energy sector ICSs.
In the latest alert, ICS-CERT “strongly encourages taking immediate defensive action to secure ICS systems using defense-in-depth principles,” it said. “Asset owners should not assume that their control systems are deployed securely or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.”
—Thomas W. Overton, JD is a POWER associate editor.