Critical control systems inside two US power generation facilities were found infected with computer malware, according to the US Industrial Control Systems Cyber Emergency Response Team.
Both infections were spread by USB drives that were plugged into critical systems used to control power generation equipment, according to the organization's newsletter for October, November, and December of 2012. The authors didn't identify the owners of the facilities and there's no indication the infections resulted in injuries or equipment failures.
The incidents were reported earlier by Threat Post, and they are the latest to underscore the vulnerabilities posed by so-called supervisory control and data acquisition systems that aren't properly secured. SCADA and industrial control systems use computers to flip switches, turn dials, and manipulate other controls inside dams, power-generation plants, and other critical infrastructure. Computer malware that infects those systems can pose a threat by giving remote attackers the ability to sabotage sensitive equipment. Last year, a backdoor in a widely used piece of industrial software allowed hackers to illegally access a New Jersey company's internal heating and air-conditioning system.
According to one of the articles in the newsletter, one of the infections was discovered after an employee experienced problems with the USB drive and called in IT staff to troubleshoot.
"When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits," the newsletter reported. "Initial analysis caused particular concern when one sample was linked to known sophisticated malware."
Based on the article, it's not clear if the control system workstations use any form of antivirus protection.
Jan 16 (Reuters) - A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website.
The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.
It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.
DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure.
In addition to not identifying the plants, a DHS spokesman declined to say where they are located.
Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran's nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.
Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are "air gapped," or cut off from the public Internet.
"This is yet another stark reminder that even if a true 'air gap' is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur," he said.
On January 17, 2013 by Max Smolaks 0
The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has revealed that last year, “sophisticated” malware was discovered at two power plants in the US, and kept one of them out of commission for three weeks.
Just like with Stuxnet and uranium enrichment centrifuges in 2010, the computer systems were infected through a USB drive used by an unsuspecting engineer.
The information was published in the ‘ICS-CERT Monitor’ quarterly newsletter. In it, the organisation stated that it expects the number of attacks of this type to increase.