USB Drive Malware Surfaces At Two US Power Plants
January 17, 2013

US Power Plants Infected With Malware Through USB Drives

redOrbit Staff & Wire Reports - Your Universe Online

The control systems of two U.S. power plants were found to be infected with malware, according to the latest quarterly newsletter from the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

In both cases, the infections came from USB drives used for data backup or software updates to critical systems used to control power generation equipment, the ICS-CERT said.

The organization did not disclose the identity of the two facilities involved.

Malware is often used by cyber-attackers to gain remote access to systems, or to steal data, but the ICS-CERT said there is no indication that the current infections resulted in any injuries or equipment failures.

In the first incident, "the malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive's operation,” wrote the authors of the report.

When the technician inserted the USB drive into a computer with antivirus software, it detected at least three incidents of malware.

"The employee routinely used this USB drive for backing up control systems configurations within the control environment.”

"Initial analysis caused particular concern when one sample was linked to known sophisticated malware," said the ICS- CERT, who deployed a team for an on-site inspection of the drive in October.

That team found the malware on two engineering workstations that were "critical to the operation of the control environment."

The problem was magnified by the fact that there were no backups for these workstations.

"The recommended practice is to maintain a system of 'hot spares' or other effective backups for all critical systems," the ICS-CERT said.

At the second facility, “a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades.”

"Unknown to the technician, the USB-drive was infected with crimeware,” the report read.

"The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately three weeks."

The ICS-CERT did not provide specific details in its report about the malware itself, but stressed that policies involving the use of removable media must be reviewed and tightened.

"Such practices will mitigate many issues that could lead to extended system downtime," the organization said.

"Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber-events."

Owners and operators of critical infrastructure should "develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media,” the ICS-CERT said.

Power plants have been the target of increasingly destructive malware in recent years, and CERT says they expect the number of these types of attacks to rise in the future.

In 2010, the Stuxnet virus damaged critical parts of Iran's nuclear infrastructure. According to security firm Symantec, Stuxnet had been designed to effect motors controlling centrifuges, which would disrupt the creation of uranium fuel pellets.

That virus also used USB drives to spread attack code and send intercepted communications over air-gapped networks.

No country has claimed responsibility for Stuxnet, although several media outlets have reported that the U.S. and Israel were behind the attack.