According to a recent report from the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), two power plants were recently found to have malware in their systems as a result of infected USB drives.
One of the infections was discovered when an employee at a power plant asked an IT worker to check his USB drive after experiencing intermittent issues with it. When the IT worker plugged the USB stick into a computer with up-to-date anti-virus software, it was discovered the drive contained sophisticated malware. According to the report, signs of the malware were discovered on two engineering workstations.
"The organization also identified during the course of the investigation that it had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact," wrote ICS-CERT in the October-December 2012 Monitor.
In the other incident, a power company reported that it suffered a virus infection in one of its turbine control systems after a third-party technician used a USB drive to upload software updates into the system. As a result, the plant’s restart was delayed by three weeks.
According to Dave Pack, director of labs at IT security firm LogRhythm, USB sticks are an "excellent attack vector" for those seeking to disrupt operations in industrial control systems.
"In cases like this, where an ICS/SCADA-like infrastructure is air gapped and removable media must be frequently used to support operations, it’s important that organizations include security into their processes and procedures to ensure nothing malicious is inadvertently being introduced into the environment," he said in a statement. "Removable media used in operations like this should be frequently scanned for malware, and strict policies should be put in place and enforced to control how the media is stored and used."
Both of these incidents highlight the cyber vulnerabilities facing critical infrastructure sites around the world and how something as simple as using a thumb drive to backup data could lead to catastrophic results.
"It is time for those that run our critical infrastructure to understand that it is no longer a question of if there will be an advanced attack, but rather when," Jeff Hudson, CEO of Venafi, a provider of Enterprise Key and Certificate Management (EKCM) solutions, said in a statement. "Organizations must evaluate their vulnerabilities from outside sources as well as insider threats, whether innocent or not, and establish safe practices for employees as well as implement proper security precautions and effective control management to reduce the attack risk. History has taught us that malware such as Stuxnet, designed specifically to target industrial facilities, leverages social engineering and stolen digital certificates to remain undetected and authenticate on the secure network. There was simply no reason for these plants, or any others at this point, not to be prepared for this type of attack."