The U.S. Computer Emergency Readiness Team reports that a U.S.-based power generating facility was shut down after a contract employee introduced malware into the turbine control systems and into engineering workstations. The contractor routinely used his USB drive to perform updates on control systems as well as workstations in the power plant.
US-CERT, which is part of the U.S. Department of Homeland Security, declined to identify which power plant was affected, and did not say whether the facility was operating on nuclear or conventional power. Industrial control systems frequently use Windows-based computers to run their specialized software, but they rarely run antivirus software because these computers aren’t connected to outside networks. However, using a USB drive to perform updates is common on these systems.
ICS-CERT, which is the division of US-CERT responsible for industrial control systems, reported the malware infection in its Monthly Monitor, which actually covered October through December. The Monitor report described the incident, saying that when the USB memory drive began to exhibit performance issues, the contractor asked the facility IT staff to check it. The check revealed two different types of malware; one type was designed to perform identity theft, and the other a type of sophisticated type of malware that ICS-CERT did not identify.
ICS-CERT also found that the engineering workstations did not have backups and did not have antivirus software. US-CERT was able to clean the workstations of the malware, and it was able to remove malware from the turbine control systems that were affected. The other workstations and other systems at the power plant weren’t affected. Following the finding of malware, U.S.-CERT issued a number of recommendations.
The first recommendation was something that should be one of those “Duh” moments. The workstations should have had antivirus software installed and they should have had backups and hot spares in place since they were critical to running the power plant and as a result were part of the critical infrastructure.
While the turbine control systems couldn’t run antivirus software, the USB drive could and should have been checked before use. All the drive contained were configuration files, and replacing those should not have been a big deal if the USB memory drive had required replacement. So we have another “Duh” moment.
While the folks at US-CERT didn’t mention anything about the power-plant IT staff being disciplined, or at least tied to a mast and flogged, that seems like the appropriate means of instilling the lesson. After Stuxnet, the idea that malware can travel on USB drives is no secret. In fact, it’s a favorite vector for distributing malware to computers that aren’t on the Internet. How could the managers in this power company’s operations center not have known this?