ICS-CERT says Bad Guys Used USB-based Malware to Attack U.S. Power Plants-'Be Prepared!'

By Peter Bernstein January 16, 2013

Back in the early 1900’s, Robert Baden-Powell the founder of the now global scouting movement for young adults came up with the motto for his organization, “be prepared!” It would be safe to say the idea behind those words—which means you are always in a state of readiness in mind and body to do your duty—may be more relevant than ever. This is particularly true when it comes to the protection of critical infrastructure such as the electric grid, water, gas and communications utilities. 

How prepared are we really in terms of protecting critical infrastructure from malware? 

The quick answer is not very well prepared at all. This assessment comes from none other than the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In fact, the recent ICS-CERT Monitor report highlights that two power plants at the end of 2012 reported infections by both "common and sophisticated" malware at a power generation facilities.   

One case was only found out when an employee had trouble connecting a USB drive to a workstation. You read correctly, a U.S. power plant could have been seriously compromised because of a lack of diligence regarding the proper management of something as simple as a USB drive.

Here is the scary part. If you read the report you will see that while not disclosing the type of malware used, the report reveals, "the employee routinely used this USB drive for backing up control systems configurations within the control environment." To put it simply, this means hackers could have exploited the vulnerability to connect with the most important systems within a power plant. But, wait if that is not disturbing enough; ICS-CERT also notes that sophisticated malware was found on two engineering-based workstations that are "critical" to the control of the power station.

The only good news coming out of this incident is that malware was not found on 11 other workstations examined. That said, such simple means for wreaking mass havoc are very troublesome, and illustrate that security needs to be holistic in approach since in this case human sneaker power and not some sophisticated online cyber attack was the means of infection

In the second case documented by the report, a power company reported a viral infection in a turbine control system which hampered the performance of roughly ten computers within its control network. It turned out that a third-party technician used a USB drive to upgrade the software when equipment was being renewed, and the malware did its nasty deeds. The plant's reopening was delayed for three weeks and, once again, it was something simple that caused something big.

Advice and warnings for the experts

Needless to say, the professional good guys in the field had some advice on the matter. Jeff Hudson, CEO of Venafi was kind enough to share his thoughts on the subject with TechZone360. He started by saying that, “Cyber attacks on critical infrastructure have dominated the news recently and will continue to do so as long as these systems remain vulnerable. Though these facilities take the precaution of not having Internet connections to prevent outside attacks, a lack of best security practices within closed systems has allowed cyber strikes to surface via compromised trust instruments and USB devices within organizations.”  

Hudson went on to elaborate that, “…Insiders with knowledge of how the software that powers these plants' (the ones in the ICS-CERT report) systems work can execute an attack…It is time for those that run our critical infrastructure to understand that it is no longer a question of ‘if’ there will be an advanced attack, but rather ‘when.’…History has taught us that malware such as Stuxnet, designed specifically to target industrial facilities, leverages social engineering and stolen digital certificates to remain undetected and authenticate on the secure network. There was simply no reason for these plants, or any others at this point, not to be prepared for this type of attack."

For its part, ICS-CERT suggests that a common-sense approach is the best method to try and combat USB-borne infections. Adopting new USB guidelines, maintaining the cleaning of a device before use  including write-once media like DVDs should be compulsory, and antivirus software should be kept up-to-date.

This may be an instance where to quote an old saying, “an ounce of prevention is worth a pound of cure,” but the real point is the one Hudson made about there being no reason why our infrastructure does not have in place already the available tools to protect themselves adequately. ICS-CERT’s recommendations are certainly a good starting point on the prevention side of things, but let’s fact it the bad guys don’t care that much about guidelines, and one needs to be careful in regards to just looking to one antivirus solution, even if always seemingly up-to-date, as the only steps needed to prevent catastrophe. Given the scale and scope of malicious actions by bad actors, one size antivirus does not fit all, and a comprehensive look at risk mitigation needs to be undertaken and executed.

If you want to stay on top of things, bookmark the ICS-CCERT homepage. The reason is contained in the links below which are the top three items there in the last three days as food for thought.

As the scouts, ICS-CERT, Venafi and other will tell you, there is never a bad time to “be prepared!”

Edited by Jamie Epstein
Related Articles

What If You Could Speak to a Holocaust Survivor? Now You Can

By: Alicia Young    4/28/2017

The USC Shoah Foundation was founded by Steven Spielberg in 1994 to document first-hand accounts of the Holocaust for future generations. Since then, …

Read More

Russian Hacker Receives Record-Breaking Prison Sentence

By: Alicia Young    4/27/2017

Roman Valeryevich Seleznev was sentenced to 27 years in prison last week in the U.S. for stealing millions of credit card details from businesses.

Read More

Microsoft Brings New Talent to LinkedIn, Dynamics 365

By: Steve Anderson    4/27/2017

Microsoft gunning for a place in the human capital management sphere with new application, and the addition of Dynamics 365 to LinkedIn.

Read More

Four Tips for Untouchable Intellectual Property

By: Anna Johansson    4/26/2017

Intellectual property is considered an intangible asset and can include things like recipe ingredients, articles, logos, and proprietary systems and p…

Read More

Is it Time for Someone to Clean Slate a Gaming Console?

By: Rob Enderle    4/24/2017

I've been looking at a lot of the comments on game review articles and forums of late, and gamers appear to be disappointed that the games aren't gett…

Read More