USB Storage Drive Loaded With Malware Shuts Down Power Plant
Of course the chances are, they did know, but were either too set in their ways to change anything or too complacent to make the effort. Or it could have been both. Inertia and complacency are the enemies of good management in every realm and it’s no different in IT management. But the means of dealing with the problem aren’t a secret. US-CERT has published a paper on the risks of using USB drives and the means of staying safe when using them aren’t rocket science. USB drive safety is part of the US-CERT’s Defense in Depth approach to the security of industrial control systems. It’s critical for companies that are part of the US critical infrastructure to be familiar with it. But let’s say your company isn’t part of the critical infrastructure. Let’s say your company is just an average company with an average IT department. That likely means that your company has an average level of complacency, which probably means nobody in your IT department has scanned a USB drive for malware since the technology was invented. Considering that you already have the anti-malware software on your computers (you DO have antimalware software, don’t you?) it costs nothing to scan a USB drive and takes only seconds. This is a zero-cost safety solution for your company that only requires one thing–that you go to the trouble to do it. In fact, I just scanned a 32 GB USB drive while I was writing this paragraph. Running the scan took less time.In the case of the power plant malware infection, the ICS-CERT said that the contractor was not aware that the malware was on the USB drive. But they don’t answer the obvious question, which is why not? The power plant is part of the U.S. critical infrastructure and malware in that infrastructure is a critical problem. Maybe it’s time to hold IT staffers accountable for this kind of “Duh” moment. There’s probably some kind of politically correct rule about flogging at the mast, but maybe termination for cause, and a requirement to reimburse the company for the total cost of the cleanup would get some attention. But I still think the cat o’ nine tails has a certain charm.
So why don’t companies insist that such a simple protection become routine? Part of the answer is complacency. Part of the answer is a lack of requirements that it be accomplished, which may be inertia. But the reason for either is a lack of incentive to do things properly.