Back in the early 1900’s, Robert Baden-Powell the founder of the now global scouting movement for young adults came up with the motto for his organization, “be prepared!” It would be safe to say the idea behind those words—which means you are always in a state of readiness in mind and body to do your duty—may be more relevant than ever. This is particularly true when it comes to the protection of critical infrastructure such as the electric grid, water, gas and communications utilities.
How prepared are we really in terms of protecting critical infrastructure from malware?
The quick answer is not very well prepared at all. This assessment comes from none other than the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In fact, the recent ICS-CERT Monitor report highlights that two power plants at the end of 2012 reported infections by both "common and sophisticated" malware at a power generation facilities.
One case was only found out when an employee had trouble connecting a USB drive to a workstation. You read correctly, a U.S. power plant could have been seriously compromised because of a lack of diligence regarding the proper management of something as simple as a USB drive.
Here is the scary part. If you read the report you will see that while not disclosing the type of malware used, the report reveals, "the employee routinely used this USB drive for backing up control systems configurations within the control environment." To put it simply, this means hackers could have exploited the vulnerability to connect with the most important systems within a power plant. But, wait if that is not disturbing enough; ICS-CERT also notes that sophisticated malware was found on two engineering-based workstations that are "critical" to the control of the power station.
The only good news coming out of this incident is that malware was not found on 11 other workstations examined. That said, such simple means for wreaking mass havoc are very troublesome, and illustrate that security needs to be holistic in approach since in this case human sneaker power and not some sophisticated online cyber attack was the means of infection
In the second case documented by the report, a power company reported a viral infection in a turbine control system which hampered the performance of roughly ten computers within its control network. It turned out that a third-party technician used a USB drive to upgrade the software when equipment was being renewed, and the malware did its nasty deeds. The plant's reopening was delayed for three weeks and, once again, it was something simple that caused something big.
Advice and warnings for the experts
Needless to say, the professional good guys in the field had some advice on the matter. Jeff Hudson, CEO of Venafi was kind enough to share his thoughts on the subject with TechZone360. He started by saying that, “Cyber attacks on critical infrastructure have dominated the news recently and will continue to do so as long as these systems remain vulnerable. Though these facilities take the precaution of not having Internet connections to prevent outside attacks, a lack of best security practices within closed systems has allowed cyber strikes to surface via compromised trust instruments and USB devices within organizations.”
Hudson went on to elaborate that, “…Insiders with knowledge of how the software that powers these plants' (the ones in the ICS-CERT report) systems work can execute an attack…It is time for those that run our critical infrastructure to understand that it is no longer a question of ‘if’ there will be an advanced attack, but rather ‘when.’…History has taught us that malware such as Stuxnet, designed specifically to target industrial facilities, leverages social engineering and stolen digital certificates to remain undetected and authenticate on the secure network. There was simply no reason for these plants, or any others at this point, not to be prepared for this type of attack."
For its part, ICS-CERT suggests that a common-sense approach is the best method to try and combat USB-borne infections. Adopting new USB guidelines, maintaining the cleaning of a device before use including write-once media like DVDs should be compulsory, and antivirus software should be kept up-to-date.
This may be an instance where to quote an old saying, “an ounce of prevention is worth a pound of cure,” but the real point is the one Hudson made about there being no reason why our infrastructure does not have in place already the available tools to protect themselves adequately. ICS-CERT’s recommendations are certainly a good starting point on the prevention side of things, but let’s fact it the bad guys don’t care that much about guidelines, and one needs to be careful in regards to just looking to one antivirus solution, even if always seemingly up-to-date, as the only steps needed to prevent catastrophe. Given the scale and scope of malicious actions by bad actors, one size antivirus does not fit all, and a comprehensive look at risk mitigation needs to be undertaken and executed.
If you want to stay on top of things, bookmark the ICS-CCERT homepage. The reason is contained in the links below which are the top three items there in the last three days as food for thought.
As the scouts, ICS-CERT, Venafi and other will tell you, there is never a bad time to “be prepared!”
Edited by Jamie Epstein