Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Infects US Power Facilities Through USB Drives

Posted by Soulskill on from the under-your-thumbdrive dept.

angry tapir writes "Two U.S. power companies have reported infections of malware during the past three months, with the bad software apparently brought in through tainted USB drives, according to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The publication (PDF) did not name the malware discovered. The tainted USB drive came in contact with a 'handful of machines' at the power generation facility and investigators found sophisticated malware on two engineering workstations critical to the operation of the control environment, ICS-CERT said."

9 of 136 comments (clear)

  1. Scan the security cameras... by eksith · · Score: 5, Insightful

    ...If they have them installed and actually recording. Find out which ones were inserting the USB drives in question, fire them and ban them from ever being hired at any infastructure facilities. Train the remaining employees in security best practices and run random scans of any equipment they bring into the premises.

    More often than not security breaches are a result of an oversight, but far too often, it's laziness and incompetence.

    --
    If computers were people, I'd be a misanthrope.
    1. Re:Scan the security cameras... by Anonymous Coward · · Score: 3, Insightful

      They know who did it - it was apparently a contractor installing software.

      And banning USB keys or "scanning" is not the solution - the solution is to not use vulnerable crap like windows for any critical functions at something like a power plant. Although banning/firing any contractor that specified a windows based system for the installation in the first place, could be a good first step.

    2. Re:Scan the security cameras... by aurispector · · Score: 5, Funny

      Since windows is the de facto standard and as such the bulk of malware is targeted at it. Pick any platform, make it the standard and the amount of malware written for it will explode.

      Nice rhymes BTW - that english degree is paying off for you!

      --
      I have mod points. The reign of terror begins now.
    3. Re:Scan the security cameras... by benjymouse · · Score: 5, Insightful

      the solution is to not use vulnerable crap like windows for

      Right. So there would never be any risk when using Linux?

      http://www.h-online.com/open/news/item/USB-driver-bug-exposed-as-Linux-plug-pwn-1203617.html

      http://news.softpedia.com/news/Researcher-Demonstrates-USB-Autorun-Attack-on-Linux-183611.shtml

      http://linux.slashdot.org/story/11/02/07/1742246/usb-autorun-attacks-against-linux

      http://www.omgubuntu.co.uk/2011/02/how-usb-autorun-malware-could-easily-infect-linux

      You are stupid to think that any OS is free of such problems. Or you are just blind to facts because of Linux fanaticism.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  2. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · · Score: 5, Insightful

    3. Do not ALLOW any USB based access to any of the networked machines, ever. If at all, the USB drive needs to be connected to a Linux machine, that does not auto-mount or run any auto-magic stuff. Then, any files that need to be sent to the server need to be quarantined prior to updating.

    The problem is the entire process of adding the software in the first place. The application should have been placed into a sterile test environment and proved out prior to ever being approved, then moved in a secure fashion to a staging environment for actual deployment. This whole thing reeks of massive violations of best practices, no matter what OS you happen to be using.

    For example: "ICS-CERT recommended that the power facility adopt new USB use guidelines, including the cleaning of a USB device before each use."
    Uh, yea NO SHIT. I work for an ISP and any code deployments which have to be done via USB, flash, or any other removable media MUST be done using company-owned media devices, that media is completely sterilized and staged in a pre-production environment prior to actual deployment. Anybody who let a contractor use his own equipment for such a deployment would be sacked without a second thought, and for this type of critical system we wouldn't rely on an outside contractor in the first place. Whoever is in charge of their practices and network/IT policies needs to be fired immediately and replaced by someone who is at least halfway competent.

  3. Re: Fire him by Anonymous Coward · · Score: 4, Funny

    When firing him, make him walk past all the other employees lined up at the front doors, who turn their backs one by one as he passes them. And as he walks to his car, the slow-clap chant of "unclean, unclean, unclean" should be encouraged. And a hail of out of date McAfee trial disks thrown at his car as he drives away.

    No. It's not to punish him further, it's to reinforce acceptable group behaviour on those who remain.

    "We don't do this to you if you steal a laptop or a roll of copper wire. We don't do this to you if sneak out at noon every day. This is the thing we do this for."

  4. Re:Don't DEAL with problems, SOLVE them... by thegarbz · · Score: 4, Interesting

    1. hahahahahahhahahahahah. Ok in all seriousness that is not only laughable but often actually simply illegal. The modern control world will often mandate some form of external data transfer live directly from the control system, and this is before taking into account satellite operated systems and other potentially unmanned sites. If you think that an airgap from other networks is the end of the discussion you've effectively made all your solutions unworkable in the industry.

    Much debugging is done over the network looking at live data trends.
    Much maintenance is done over the network through the use of smart instruments and asset management systems.
    Much analysis and improvement to processes, reliability analysis of critical machinery, and other such activities are done in a way which require some connection to the control system.

    Not to mention that airgap gives people a hell of a false sense of security.

    2. This is not only a good idea, but it's actually also a requirement by many vendors.

    3. Unworkable. Engineers will have your balls in a vice before you get through the commissioning phase. Mainly because you won't get through the commissioning phase as something will be wrong and there's no way to get data on or off the machine in question. The idea of locking it down to prevent autoruns is good. Providing sterilised USB keys for use is good too. Most of the problems are brought in from home, not transferred between work machines and the process network.

    4. WiFi ... on a process network? Dear god why! WiFi used for field devices should sit on their own isolated network with very careful and selective routing only to the aforementioned non-airgapped process network.

  5. Re:Why the hell by c0lo · · Score: 3, Interesting

    ... would any machine running Windows be attached to or associated with anything that was critical to the operation of a power plant?!

    Just in case you are scared about power plants failures - don't! There are much better things to be worried about.

    For example - only a bit more that 4 years ago, the UK Navy finished retrofitting its nuclear subs with... Window XP and 2000! For sensors and weapons control no less. At the time, /.ers coined a new meaning for the BSOD.

    --
    Questions raise, answers kill. Raise questions to stay alive.
  6. Be careful of the back port by unix_core · · Score: 4, Funny

    I've heard the infection spreads more easily if you stick it in the port on the backside. I know for most people, its a PITA to do that. you might have to get down on your knees an so on, though there are those who prefer it and for them it's especially important to use adequate protection.