Control System Malware Alert

Wednesday, January 2, 2013 @ 12:01 PM gHale

USB drives are a great tool to help automation professional do their jobs, however, they can also be a malware nightmare for an industrial control system (ICS), which is exactly what happed at one power generation facility were security wags found common and sophisticated malware on the ICS.

The discovery occurred after a worker asked the company’s IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation, according to a report on ICS-CERT. The employee routinely used this USB drive for backing up control systems configurations within the control environment.

Downtime: Utility Suffers Virus
Antivirus Not Catching New Viruses
Symantec Antivirus Bug
Zero Days: A Free Pass

When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits. After analyzing the results, officials found one sample linked to known sophisticated malware. Following analysis and at the request of the customer, an onsite team from ICS-CERT went to the facility and started an investigation.

Once onsite, the ICS-CERT team found a handful of machines that likely had contact with the tainted USB drive. They examined the machines and they took drive images for in-depth analysis. ICS-CERT also performed preliminary onsite analysis of those machines and discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment.

The team then conducted a detailed analysis and found these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations.

With confirmation the sophisticated malware existed on the two engineering workstations, attention shifted quickly to the remaining eleven operator stations in the control environment. Manual analysis using the known characteristics of the malware revealed no signs of the malicious software on the remaining work stations.

After the onsite visit, ICS-CERT had two primary goals for assisting the organization.
• Identify effective and safe cleaning procedures that could remove the malicious artifacts.
• Identify best practices to prevent and detect future malware infections in this organization’s control environment.

ICS-CERT obtained a number of images and other artifacts for additional offsite analysis. The in-depth analysis of the two engineering workstations was critical in identifying safe and effective malware cleaning procedures. The team developed cleaning procedures in close coordination with the organization’s control system vendor to ensure it would not adversely impact the workstations.

While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying the common and the sophisticated malware discovered on the USB drive and the engineering workstations.

In addition to backing up the engineering workstation configuration files, the USB drive was also transporting malware. A good backup procedure should incorporate best practices for USB usage to ensure malicious content does not spread or end up inadvertently introduced, especially in critical control environments. This procedure should include cleaning the USB device before each use or the use of write-once media such as CDs or DVDs.

The organization also found during the course of the investigation it had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact. The recommended practice is to maintain a system of “hot spares” or other effective backups for all critical systems.

Leave a Reply

You must be logged in to post a comment.