Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Infects US Power Facilities Through USB Drives

Posted by Soulskill on from the under-your-thumbdrive dept.

angry tapir writes "Two U.S. power companies have reported infections of malware during the past three months, with the bad software apparently brought in through tainted USB drives, according to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The publication (PDF) did not name the malware discovered. The tainted USB drive came in contact with a 'handful of machines' at the power generation facility and investigators found sophisticated malware on two engineering workstations critical to the operation of the control environment, ICS-CERT said."

22 of 136 comments (clear)

  1. Scan the security cameras... by eksith · · Score: 5, Insightful

    ...If they have them installed and actually recording. Find out which ones were inserting the USB drives in question, fire them and ban them from ever being hired at any infastructure facilities. Train the remaining employees in security best practices and run random scans of any equipment they bring into the premises.

    More often than not security breaches are a result of an oversight, but far too often, it's laziness and incompetence.

    --
    If computers were people, I'd be a misanthrope.
    1. Re:Scan the security cameras... by Anonymous Coward · · Score: 3, Insightful

      They know who did it - it was apparently a contractor installing software.

      And banning USB keys or "scanning" is not the solution - the solution is to not use vulnerable crap like windows for any critical functions at something like a power plant. Although banning/firing any contractor that specified a windows based system for the installation in the first place, could be a good first step.

    2. Re:Scan the security cameras... by Anonymous Coward · · Score: 2, Interesting

      the solution is to not use vulnerable crap like windows

      If the malicious code was embedded in the software which was intentionally installed, then exactly how would the choice of OS have fuck-all to do with it?

    3. Re:Scan the security cameras... by inasity_rules · · Score: 2

      I agree, but what you suggest is impractical. Normally the consultant would have specified the requirements, and then chosen from a list of options given. Practically, all of those options would be Windows, because, guess what, it is the industry standard. Practically then, any contractor suggesting a different system would be at a disadvantage because they would be deviating from the de facto standard. Industry has so much momentum changing from windows is excessively difficult.

      --
      I have determined that my sig is indeterminate.
    4. Re:Scan the security cameras... by RoboJ1M · · Score: 2

      But, it was a contractor installing software.
      The OS didn't need to be vulnerable.
      The infected application had super user rights.
      Of course no doubt it DID leverage holes in windows and it wasn't there to compromise the power station, just run spam chewing malware.
      And it was only ON the stick in the first place because of Windows security holes.

      But by definition any OS (GNU Linux, OSX, Windows) on which you are installing software if vulnerable by default
      Of course in a secure environment such as GNU Linux or BSD or whatever, the machines that wrote the stick in the first place would have been astronomically less vulnerable to leaky security and easy compromise such as the box where the contractor spent the morning browsing drive by pr0n sites.

      If it was a malicious contractor, no OS is going to save you.

    5. Re:Scan the security cameras... by aurispector · · Score: 5, Funny

      Since windows is the de facto standard and as such the bulk of malware is targeted at it. Pick any platform, make it the standard and the amount of malware written for it will explode.

      Nice rhymes BTW - that english degree is paying off for you!

      --
      I have mod points. The reign of terror begins now.
    6. Re:Scan the security cameras... by benjymouse · · Score: 5, Insightful

      the solution is to not use vulnerable crap like windows for

      Right. So there would never be any risk when using Linux?

      http://www.h-online.com/open/news/item/USB-driver-bug-exposed-as-Linux-plug-pwn-1203617.html

      http://news.softpedia.com/news/Researcher-Demonstrates-USB-Autorun-Attack-on-Linux-183611.shtml

      http://linux.slashdot.org/story/11/02/07/1742246/usb-autorun-attacks-against-linux

      http://www.omgubuntu.co.uk/2011/02/how-usb-autorun-malware-could-easily-infect-linux

      You are stupid to think that any OS is free of such problems. Or you are just blind to facts because of Linux fanaticism.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
    7. Re:Scan the security cameras... by Svartalf · · Score: 2

      I don't think that it was embedded there (or we'd have a different story we'd be commenting on...)- it was just infecting the tech's USB thumb drive. Something that Windows actually excels at.

      --
      I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
    8. Re:Scan the security cameras... by Svartalf · · Score: 2

      1) These are due to trying to make Linux "easy". If you're using a desktop install, it's going to happen. Autorun is a BAD and bogus idea, really.
      2) An embedded or secured Linux won't respond to Autorun like this. I think only the ones trying to be a Windows/OSX "competitor" like Ubuntu have this on by default.

      Sorry, it's more that the OS in question (Windows) does stupid things that're insecure by design - and adopting any of those bad ideas in your OS will cause the same sorts of problems. Your set of links merely proves this.

      --
      I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
    9. Re:Scan the security cameras... by tlhIngan · · Score: 2

      Uhhh...Why have USB slots on the PCs in the first place? Its really not that hard to just epoxy some plugs into the slots in the back and pull the cable to the front ya know. Even if they did do what you say its still possible an enemy might in the future blackmail an employee into plugging a drive in, can't do that if its common knowledge there ain't no USB slots on their machines.

        If it were me while I was at it I'd set a GPO blocking Windows from enabling any CDROM or floppy drives along with the USB drivers so even if somebody in some out of the way place cracked the case open and reconnected the headers it wouldn't do any good as Windows wouldn't load the drivers.

      Well, if you did security right, you have an airgapped network, which means the critical network and the corporate LAN are separated.

      But that brings a question - how do you update anything on the airgapped network? And yes, things do need updating now and again, including any Windows machines used to manage it. May be a software update, may be a configuration update (e.g., some new machinery was installed, or something was replaced and now the whole setup has to be reconfigured).

      The easiest way is a thumb drive.

      Otherwise what you have is a completely useless network that runs ancient software that has to be maintained somehow.

      Airgapped networks work, but they have a serious vulnerability in that going from an insecure to secure environment (let's say you gateway it so all data brought to the isolated network must be scanned by a gateway PC - now the gateway PC needs to have latest antivirus etc. - and how do you get those onto it, since it's airgapped?).

      Some people make fancy "data diodes" that are very strict firewalls - it lets the isolated network go and talk to the corporate network for updates, etc, but prevents anything from the isolated network from leaving it.

      But it's a huge problem with no easy solution - Stuxnet, the USAF, they all suffered when airgapped computers got infected. (The USAF when their UAV control PCs got infected because they used a thumbdrive to move a map update across).

    10. Re:Scan the security cameras... by timeOday · · Score: 2

      Everybody is rushing to agree with you, but I don't see how the use of a USB drive is the problem in this case. USB drives are a bad way to transfer information to secure systems because they are writable, so sensitive information can leak back into the open environment. But that's not what happened here, so it makes no difference whether the upload to the sensitive system had been done with a CD, USB drive, floppy... what do you think they should use, and what difference would it make? Are you assuming they failed to run a virus scanner on the software they uploaded? Those aren't 100%, especially not for targeted attacks. All secure systems are loaded with software and hardware that is ultimately from the open, so there is a chance of bad stuff leaking through. Even if you built the whole computer system onsite from sand and software written from scratch (which is absurd), there is still the trustworthiness of the people who do the work.

    11. Re:Scan the security cameras... by LoRdTAW · · Score: 2

      The exploit you posted is two years old and fixed. But I do get your point about no OS being 100% secure. But most of these Industrial automation infections are most likely due to bad security practices or outdated and unpatched Windows systems.

      My bet is the control systems are running windows XP or worse, 2000 (I wouldn't be surprised if NT can be found in some places). Manufactures of soft PLC/PAC hardware still offer systems pre-installed with Windows XP and XP embedded even though it is a security nightmare. The reason being backwards compatibility. Most industrial PC hardware is designed for long life spans. A PC motherboard that can be bought off Newegg from Asus or Gigabyte might change every few months or yearly. And every time a new chip set comes out the previous generation boards and chip-sets are discontinued. Industrial boards typically have runs lasting years to ensure a customer that 5 or even 10 years later they can get them a replacement board. Software is costly and redeveloping a multi-million dollar factory automation system is often impossible without very costly downtime. Something as simple as a windows update can completely bring an entire system down. In short the mentality is "if it ain't broke, don't fix it". And often enough, you can get away with it.

      I work for a shop where we still have three machines running windows 2000 for CNC motion control along with one running XP. I could upgrade to Windows 7 as the company who makes the CNC system has up to date software that runs on 7. Any time I have proposed upgrading the machines, the production manager, engineer and boss won't hear any of it (if it ain't broke, don't fix it!). I have to maintain a small inventory of P4 systems pre-loaded with XP pro and the CNC software to ensure that I have replacement systems at the ready. When I first started working you wouldn't believe the shit that was going on. The previous IT guy was a cousin of the owner who was a programmer, he wasn't an IT expert and was ignorant about security (im no expert either, but I make sure I follow best practices). I had employees plugging their iPhones into the CNC PC's to charge as well as listening to Pandora through a web browser on the CNC PC using a pair of speakers they bought in. I put a stop to that nonsense. I now have each computer on a domain account that is locked down (no web browser), no physical USB access by the operator and the CNC PC's on their own isolated network that is filtered by a firewall (pfSense). Its far from perfectly secure but it will stop 90+% of the silly nonsense that can screw you over.

  2. Good by Anonymous Coward · · Score: 2, Insightful

    Good, if USB's are the infection route, then it probably means they've been smart enough to not connect these systems to the internet.
    Good, they're not screaming 'cyber war' and conflating script kiddies with the country of the p0wned PC that sent the infection.

    Bad, However, why have they left the USB ports open? And why are the ports autoexecuting this malware? I mean, even my Dad (82 years old) has the auto execute registry flag turned off. He can plug malware infected keys till his hearts content and it won't run. It's just really sloppy! You pay people to secure critical systems like this and they don't do their job, so you need to sack them and hire competent people instead.

    Well at least as competent as an amateur 82 year old.

  3. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · · Score: 5, Insightful

    3. Do not ALLOW any USB based access to any of the networked machines, ever. If at all, the USB drive needs to be connected to a Linux machine, that does not auto-mount or run any auto-magic stuff. Then, any files that need to be sent to the server need to be quarantined prior to updating.

    The problem is the entire process of adding the software in the first place. The application should have been placed into a sterile test environment and proved out prior to ever being approved, then moved in a secure fashion to a staging environment for actual deployment. This whole thing reeks of massive violations of best practices, no matter what OS you happen to be using.

    For example: "ICS-CERT recommended that the power facility adopt new USB use guidelines, including the cleaning of a USB device before each use."
    Uh, yea NO SHIT. I work for an ISP and any code deployments which have to be done via USB, flash, or any other removable media MUST be done using company-owned media devices, that media is completely sterilized and staged in a pre-production environment prior to actual deployment. Anybody who let a contractor use his own equipment for such a deployment would be sacked without a second thought, and for this type of critical system we wouldn't rely on an outside contractor in the first place. Whoever is in charge of their practices and network/IT policies needs to be fired immediately and replaced by someone who is at least halfway competent.

  4. Re: Fire him by Anonymous Coward · · Score: 4, Funny

    When firing him, make him walk past all the other employees lined up at the front doors, who turn their backs one by one as he passes them. And as he walks to his car, the slow-clap chant of "unclean, unclean, unclean" should be encouraged. And a hail of out of date McAfee trial disks thrown at his car as he drives away.

    No. It's not to punish him further, it's to reinforce acceptable group behaviour on those who remain.

    "We don't do this to you if you steal a laptop or a roll of copper wire. We don't do this to you if sneak out at noon every day. This is the thing we do this for."

  5. Re:Don't DEAL with problems, SOLVE them... by thegarbz · · Score: 4, Interesting

    1. hahahahahahhahahahahah. Ok in all seriousness that is not only laughable but often actually simply illegal. The modern control world will often mandate some form of external data transfer live directly from the control system, and this is before taking into account satellite operated systems and other potentially unmanned sites. If you think that an airgap from other networks is the end of the discussion you've effectively made all your solutions unworkable in the industry.

    Much debugging is done over the network looking at live data trends.
    Much maintenance is done over the network through the use of smart instruments and asset management systems.
    Much analysis and improvement to processes, reliability analysis of critical machinery, and other such activities are done in a way which require some connection to the control system.

    Not to mention that airgap gives people a hell of a false sense of security.

    2. This is not only a good idea, but it's actually also a requirement by many vendors.

    3. Unworkable. Engineers will have your balls in a vice before you get through the commissioning phase. Mainly because you won't get through the commissioning phase as something will be wrong and there's no way to get data on or off the machine in question. The idea of locking it down to prevent autoruns is good. Providing sterilised USB keys for use is good too. Most of the problems are brought in from home, not transferred between work machines and the process network.

    4. WiFi ... on a process network? Dear god why! WiFi used for field devices should sit on their own isolated network with very careful and selective routing only to the aforementioned non-airgapped process network.

  6. Re:Why the hell by c0lo · · Score: 3, Interesting

    ... would any machine running Windows be attached to or associated with anything that was critical to the operation of a power plant?!

    Just in case you are scared about power plants failures - don't! There are much better things to be worried about.

    For example - only a bit more that 4 years ago, the UK Navy finished retrofitting its nuclear subs with... Window XP and 2000! For sensors and weapons control no less. At the time, /.ers coined a new meaning for the BSOD.

    --
    Questions raise, answers kill. Raise questions to stay alive.
  7. Be careful of the back port by unix_core · · Score: 4, Funny

    I've heard the infection spreads more easily if you stick it in the port on the backside. I know for most people, its a PITA to do that. you might have to get down on your knees an so on, though there are those who prefer it and for them it's especially important to use adequate protection.

  8. Re:ICSCERT? by azalin · · Score: 2

    Well I'm not advocating this specific agency but
    a) Companies will not publish incident details, unless forced to in one way or the other. It is not in their, or their shareholders best interest to be open about mistakes. The systems used are probably not unique and are in use by several other companies as well. So if a flaw/known attack vector exists, others should be warned, so they can secure them.
    b) A single incident is not a big deal, but what about ten, or a hundred? Power is a strategic resource in this country and must be treated as such.

  9. Re:Why the hell by inasity_rules · · Score: 2

    Because it is the industry standard and they would be fired for suggesting otherwise? Wake up, the world isn't full of perfect ideals.

    --
    I have determined that my sig is indeterminate.
  10. Well known tactic by PacRim+Jim · · Score: 2

    Hackers know that if you leave a dozen or so thumb drives around the parking lot of a target company, at least one person will be unable to resist looking to see what's on it.

  11. Re:Don't DEAL with problems, SOLVE them... by AmiMoJo · · Score: 2

    Won't help. You still have to make sure people use them, and all the control software runs on Windows.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC