Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove

Editor’s Note:  The US-CERT Monthly Monitor Report for October-December 2012 is attached here.

From: Network World

Homeland Security’s Cyber Emergency Response Team for Industrial Control Systems published a report covering common and sophisticated malware discovered in the ICS environment that targeted America’s critical infrastructure in 2012. Meanwhile at the 29th Chaos Communication Congress, the SCADA Strangelove, or ‘How I Learned to Start Worrying and Love Nuclear Plants’ presentation revealed 20 new SCADA vulnerabilities.

By Ms. Smith

The Department of Homeland Security’s Cyber Emergency Response Team for Industrial Control Systems (ICS-CERT) reported that during the fiscal year 2012, it “responded to 198 cyber incidents.” 41% of the attacks were against the energy sector followed by 15% of incidents targeting the water sector. This does not include the Springfield Illinois water utility that was reportedly hacked via an IP located in Russia. The feds said there was no evidence of a cyber-intrusion there. The image below shows the Fiscal Year 2012 ICS vulnerability incidents by sectors.


The October/November/December 2012 ICS-CERT monitor [PDF] begins with:

ICS-CERT recently provided onsite support at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment. The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation. The employee routinely used this USB drive for backing up control systems configurations within the control environment.

When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits. Initial analysis caused particular concern when one sample was linked to known sophisticated malware. Following analysis and at the request of the customer, an onsite team was deployed to their facility where the infection occurred.

After determining that “sophisticated malware existed on the two engineering workstations, attention shifted quickly to the remaining eleven operator stations in the control environment. Manual analysis using the known characteristics of the malware revealed no signs of the malicious software on these operator stations.” This seems to correlate with what was previously suggested by a University of Tel Aviv research team; that antivirus software may be a waste of money when it comes to new viruses. The researchers “tested 82 new malware files against 40 antivirus products and found that the antivirus programs detected exactly none of them.”

Further down in the ICS-CERT report there is more information regarding a virus infection at an electric utility.

In early October 2012, a power company contacted ICS-CERT to report a virus infection in a turbine control system which impacted approximately ten computers on its control system network. Discussion and analysis of the incident revealed that a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades. Unknown to the technician, the USB-drive was infected with crimeware. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks.

You may recall the supposed Firesheep moment for SCADA which made hacking critical infrastructure systems as easy as pushing a button, but the report mentions Project SHINE (SHodan INtelligence Extraction) in which two researchers compiled a list of nearly 500,000 Internet-facing control systems and demonstrated “the ease the with which critical infrastructure devices can be discovered on the Internet.” The researchers showed ICS-CERT this database of 460,000 IP addresses that they found by using SHODAN. “As SHODAN is freely available, anyone with malicious intent could locate these devices and attempt logon, leaving these systems vulnerable to attack. Once accessed, these devices may be used as an entry point onto a control systems network, making their Internet facing configuration a major vulnerability to critical infrastructure.”

Read Complete Article



Leave a Reply

Your email address will not be published.

Please Answer: *