ICS-CERT says Bad Guys Used USB-based Malware to Attack U.S. Power Plants-'Be Prepared!'

By Peter Bernstein January 16, 2013

Back in the early 1900’s, Robert Baden-Powell the founder of the now global scouting movement for young adults came up with the motto for his organization, “be prepared!” It would be safe to say the idea behind those words—which means you are always in a state of readiness in mind and body to do your duty—may be more relevant than ever. This is particularly true when it comes to the protection of critical infrastructure such as the electric grid, water, gas and communications utilities. 

How prepared are we really in terms of protecting critical infrastructure from malware? 

The quick answer is not very well prepared at all. This assessment comes from none other than the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In fact, the recent ICS-CERT Monitor report highlights that two power plants at the end of 2012 reported infections by both "common and sophisticated" malware at a power generation facilities.   

One case was only found out when an employee had trouble connecting a USB drive to a workstation. You read correctly, a U.S. power plant could have been seriously compromised because of a lack of diligence regarding the proper management of something as simple as a USB drive.

Here is the scary part. If you read the report you will see that while not disclosing the type of malware used, the report reveals, "the employee routinely used this USB drive for backing up control systems configurations within the control environment." To put it simply, this means hackers could have exploited the vulnerability to connect with the most important systems within a power plant. But, wait if that is not disturbing enough; ICS-CERT also notes that sophisticated malware was found on two engineering-based workstations that are "critical" to the control of the power station.

The only good news coming out of this incident is that malware was not found on 11 other workstations examined. That said, such simple means for wreaking mass havoc are very troublesome, and illustrate that security needs to be holistic in approach since in this case human sneaker power and not some sophisticated online cyber attack was the means of infection

In the second case documented by the report, a power company reported a viral infection in a turbine control system which hampered the performance of roughly ten computers within its control network. It turned out that a third-party technician used a USB drive to upgrade the software when equipment was being renewed, and the malware did its nasty deeds. The plant's reopening was delayed for three weeks and, once again, it was something simple that caused something big.

Advice and warnings for the experts

Needless to say, the professional good guys in the field had some advice on the matter. Jeff Hudson, CEO of Venafi was kind enough to share his thoughts on the subject with TechZone360. He started by saying that, “Cyber attacks on critical infrastructure have dominated the news recently and will continue to do so as long as these systems remain vulnerable. Though these facilities take the precaution of not having Internet connections to prevent outside attacks, a lack of best security practices within closed systems has allowed cyber strikes to surface via compromised trust instruments and USB devices within organizations.”  

Hudson went on to elaborate that, “…Insiders with knowledge of how the software that powers these plants' (the ones in the ICS-CERT report) systems work can execute an attack…It is time for those that run our critical infrastructure to understand that it is no longer a question of ‘if’ there will be an advanced attack, but rather ‘when.’…History has taught us that malware such as Stuxnet, designed specifically to target industrial facilities, leverages social engineering and stolen digital certificates to remain undetected and authenticate on the secure network. There was simply no reason for these plants, or any others at this point, not to be prepared for this type of attack."

For its part, ICS-CERT suggests that a common-sense approach is the best method to try and combat USB-borne infections. Adopting new USB guidelines, maintaining the cleaning of a device before use  including write-once media like DVDs should be compulsory, and antivirus software should be kept up-to-date.

This may be an instance where to quote an old saying, “an ounce of prevention is worth a pound of cure,” but the real point is the one Hudson made about there being no reason why our infrastructure does not have in place already the available tools to protect themselves adequately. ICS-CERT’s recommendations are certainly a good starting point on the prevention side of things, but let’s fact it the bad guys don’t care that much about guidelines, and one needs to be careful in regards to just looking to one antivirus solution, even if always seemingly up-to-date, as the only steps needed to prevent catastrophe. Given the scale and scope of malicious actions by bad actors, one size antivirus does not fit all, and a comprehensive look at risk mitigation needs to be undertaken and executed.

If you want to stay on top of things, bookmark the ICS-CCERT homepage. The reason is contained in the links below which are the top three items there in the last three days as food for thought.

As the scouts, ICS-CERT, Venafi and other will tell you, there is never a bad time to “be prepared!”




Edited by Jamie Epstein
SHARE THIS ARTICLE
Related Articles

Is The Lenovo Yoga Book The Most Innovative Windows LapLet

By: Rob Enderle    12/9/2016

Sometimes you run into a product that redefines a segment. In cars it was things like the 240Z and Miata, in Smartphones the BlackBerry and then the i…

Read More

From Forecast to Fact: The Top Security Threats and Targets of 2016

By: Special Guest    12/9/2016

In early 2016, we shared our predictions of key security threats likely to hit us this year. As predicted, cyber espionage, ransomware, insider threat…

Read More

Pebble Drops Race, Moves to Fitbit

By: Steve Anderson    12/8/2016

Pebble offers confirmation that it's pulling up stakes in the wearable tech race, and moving lock, devs and software to Fitbit.

Read More

SoftBank CEO Cozies Up to Trump

By: Paula Bernier    12/7/2016

SoftBank Group founder and CEO Masayoshi Son, who is also Sprint's chairman, told President-elect Donald Trump he wants to create 50,000 new U.S. jobs…

Read More

Predicting the FCC's Path Forward Under President-Elect Donald Trump

By: Special Guest    12/6/2016

President-elect Donald J. Trump will become the 45th President of the United States of America on January 20, 2017. Many in the tech, media and teleco…

Read More