The U.S. Computer Emergency Readiness Team reports that a U.S.-based power generating facility was shut down after a contract employee introduced malware into the turbine control systems and into engineering workstations. The contractor routinely used his USB drive to perform updates on control systems as well as workstations in the power plant.
US-CERT, which is part of the U.S. Department of Homeland Security, declined to identify which power plant was affected, and did not say whether the facility was operating on nuclear or conventional power. Industrial control systems frequently use Windows-based computers to run their specialized software, but they rarely run antivirus software because these computers aren’t connected to outside networks. However, using a USB drive to perform updates is common on these systems.
ICS-CERT, which is the division of US-CERT responsible for industrial control systems, reported the malware infection in its Monthly Monitor, which actually covered October through December. The Monitor report described the incident, saying that when the USB memory drive began to exhibit performance issues, the contractor asked the facility IT staff to check it. The check revealed two different types of malware; one type was designed to perform identity theft, and the other a type of sophisticated type of malware that ICS-CERT did not identify.
ICS-CERT also found that the engineering workstations did not have backups and did not have antivirus software. US-CERT was able to clean the workstations of the malware, and it was able to remove malware from the turbine control systems that were affected. The other workstations and other systems at the power plant weren’t affected. Following the finding of malware, U.S.-CERT issued a number of recommendations.
The first recommendation was something that should be one of those “Duh” moments. The workstations should have had antivirus software installed and they should have had backups and hot spares in place since they were critical to running the power plant and as a result were part of the critical infrastructure.
While the turbine control systems couldn’t run antivirus software, the USB drive could and should have been checked before use. All the drive contained were configuration files, and replacing those should not have been a big deal if the USB memory drive had required replacement. So we have another “Duh” moment.
While the folks at US-CERT didn’t mention anything about the power-plant IT staff being disciplined, or at least tied to a mast and flogged, that seems like the appropriate means of instilling the lesson. After Stuxnet, the idea that malware can travel on USB drives is no secret. In fact, it’s a favorite vector for distributing malware to computers that aren’t on the Internet. How could the managers in this power company’s operations center not have known this?
USB Storage Drive Loaded With Malware Shuts Down Power Plant
Of course the chances are, they did know, but were either too set in their ways to change anything or too complacent to make the effort. Or it could have been both. Inertia and complacency are the enemies of good management in every realm and it’s no different in IT management.
But the means of dealing with the problem aren’t a secret. US-CERT has published a paper on the risks of using USB drives and the means of staying safe when using them aren’t rocket science. USB drive safety is part of the US-CERT’s Defense in Depth approach to the security of industrial control systems. It’s critical for companies that are part of the US critical infrastructure to be familiar with it.
But let’s say your company isn’t part of the critical infrastructure. Let’s say your company is just an average company with an average IT department. That likely means that your company has an average level of complacency, which probably means nobody in your IT department has scanned a USB drive for malware since the technology was invented.
Considering that you already have the anti-malware software on your computers (you DO have antimalware software, don’t you?) it costs nothing to scan a USB drive and takes only seconds. This is a zero-cost safety solution for your company that only requires one thing–that you go to the trouble to do it. In fact, I just scanned a 32 GB USB drive while I was writing this paragraph. Running the scan took less time.
So why don’t companies insist that such a simple protection become routine? Part of the answer is complacency. Part of the answer is a lack of requirements that it be accomplished, which may be inertia. But the reason for either is a lack of incentive to do things properly.
In the case of the power plant malware infection, the ICS-CERT said that the contractor was not aware that the malware was on the USB drive. But they don’t answer the obvious question, which is why not? The power plant is part of the U.S. critical infrastructure and malware in that infrastructure is a critical problem.
Maybe it’s time to hold IT staffers accountable for this kind of “Duh” moment. There’s probably some kind of politically correct rule about flogging at the mast, but maybe termination for cause, and a requirement to reimburse the company for the total cost of the cleanup would get some attention. But I still think the cat o’ nine tails has a certain charm.