SCADA Security Alert: Mobile Workers

Thursday, September 8, 2011 @ 05:09 PM gHale

Security professionals need to stay on top of their game at all times and think of all possible entry points. Mobile workers are one key weakness that either directly or indirectly infect a system.

To prove that there is evidence viruses and spyware already have access to industrial control systems. If you don’t believe it, just look on Web-based user support forums.

RELATED STORIES
Breach: More SCADA System Holes
Compliance Does Not Mean Secure
ICS, SCADA Security Boot Camp
SCADA Hacking via Search Engines

Close to a dozen log files submitted to a sampling of online forums show laptops and other systems that connect to industrial control systems suffer infections with malware and Trojans, including one system that control machinery for UK based energy firm Alstom UK, said industrial control systems expert Michael Toecker.

Toecker found almost a dozen log files from computers connected to industrial control systems while conducting research online. The configuration log files, captured by the free tool HijackThis by Trend Micro, were submitted by the computer’s operator in an effort to weed out malware. While this was just a random sampling, it goes to show critical infrastructure providers are vulnerable to attacks that take advantage of mobile workers and contractors.

Toecker circulated his findings via Twitter and discussed them in a blog post for Digital Bond, a industry control system security consulting firm. He discovered the links between infected Windows systems and industrial control systems by analyzing the HijackThis logs posted on the forums, which reveal detailed configuration information about the systems in question, the organization it belonged to, and even the role of the individual who owned the system.

In one case, posted on a UK-based support forum in 2008, Toecker said the HijackThis logs show a system belonging to the UK energy firm Alstom had the Trojan Zlob and DNS queries from the system ended up redirected to two Ukrainin DNS servers known to redirect users to malicious, drive by download sites.

The system contained references to an alstom.com domain associated with the company’s power conversion division, and shows the laptop was managing a number of ICS systems including GE’s Proficy, Intellution and FANUC products and Alspa Pilot, Alstom’s controller interface and programming software.

The logs don’t reveal how the Zlob Trojan infected the system.

Evidence of infected systems that have direct access to industrial control systems — and potentially to critical infrastructure — shouldn’t be surprising, Toecker said.

It should prompt critical infrastructure owners, however, to rethink how truly secure their networks are, and to increase scrutiny of all the systems that have access to them, including mobile systems used by vendors, contractors and full time employees.