Feeds

back to article Viruses infect vital control systems at TWO US power stations

Two US power stations were infected by malware in the last quarter of 2012, according to a report by the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). USB flash drives packed with software nasties were blamed for a compromise of industrial control systems in both cases …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

god forbid that the US gets hammered by the same malware infecting Iranian nuke facilities.

4
0

that's what I'd call shitting on your own doorstep ;)

1
0
Silver badge
Trollface

It's like the AR-15 direct impingement system!

0
0
Silver badge
FAIL

Don't they have sysadmins and their pesky group policies?

2
0
Silver badge
FAIL

Oh FFS, just how incompetent do they have to be. Turn off, disable and kill auto-run with prejudice. It's not an especially difficult concept to grasp, but so many industrial control systems still have it enabled.

I'll admit that MS have made it moronically hard to fully disable unless XP SP3 is installed along with one or more updates, prior to that turning it off didn't actually turn the fecking thing off completely. After all, MS knows best on how to propagate viruses easily and what harm can there be from automatically running executable files from arbitrary removable devices?

11
3
Silver badge
Meh

Assuming the systems in question run Windows.... Neither the article nor the accompanying PDF specify an OS.

0
1
Anonymous Coward

"Assuming the systems in question run Windows.."

Care to suggest another operating system that is so lax ?

6
1
Anonymous Coward

> Care to suggest another operating system that is so lax ?

Linux.

http://www.h-online.com/open/news/item/USB-driver-bug-exposed-as-Linux-plug-pwn-1203617.html

http://www.charlescurley.com/blog/archives/2011/03/13/linux_usb_vulnerability/index.html

http://news.softpedia.com/news/Researcher-Demonstrates-USB-Autorun-Attack-on-Linux-183611.shtml

http://linux.slashdot.org/story/11/02/07/1742246/usb-autorun-attacks-against-linux

http://www.muktware.com/news/761/once-upon-time-there-was-usb-vulnerability-linux#.UPbg6Seqlws

3
5
Silver badge
Windows

@Nick Ryan: You are surely not suggesting that there are companies out there........

"unless XP SP3 is installed along with one or more updates"

.................running XP without both SP 2 and SP3 - say it ain't so. Nobody could be that stupid could they?

2
0
Bronze badge
Facepalm

Re: @Artic Fox: You are surely not suggesting that there are companies out there........

".................running XP without both SP 2 and SP3 - say it ain't so. Nobody could be that stupid could they?"

These are industrial control systems so they are probably running Windows 98.

2
0
Bronze badge

you got

an extremely weak case here... you don't have a case. One can discuss potential risks associated with external media on GNU/Linux. Another matter is to actually see it's happening in the wild. Of course there is always an explanation of blaming 1% of users that no bad guy really cares about.

0
0
Bronze badge
FAIL

Re: @Nick Ryan: You are surely not suggesting that there are companies out there........

"Nobody could be that stupid could they?"

They're running Windows. So yes, yes, they could.

1
2
RW
Boffin

Re: @Artic Fox: You are surely not suggesting that there are companies out there........

They'd probably be safer running DOS.

2
0
Silver badge

"Linux.."

Evening RICHTO,

What you fail to grasp is that the 'examples' you give are bugs, which may or may not be exploitable. With older versions of Windows it was a design choice to let USB sticks auto-execute.

0
0
Bronze badge

Re: @Artic Fox: You are surely not suggesting that there are companies out there........

Windows 98 would be no problem, there's no way anyone got 98 to recognize a USB flash drive.

0
0
Silver badge
Stop

@Big-nosed Pengie

They're running Windows

[citation needed]

0
1
Bronze badge
WTF?

Why are they backing up to a Flash Drive in the first place?

Seriously? A Flash Drive for backups? In a corporate environment?

2
0
Silver badge

Re: Why are they backing up to a Flash Drive in the first place?

Not a bad idea IMAO.

4
1
Bronze badge
FAIL

@Destroy All Monsters

You have obviously never seen a Flash Drive fail...or get lost...have you.

1
0
Silver badge
Stop

Re: @Destroy All Monsters

"You have obviously never seen a Flash Drive fail...or get lost...have you."

You don't just rely on one tape back-up, so why assume anyone would rely on one USB.

As to the loss thing, there is literally no reason why the drives can't be chained to a brick!

I'd rather trust and use USB back-up than optical media or tape. It's not perfect, but with safeguards it's not an inherently stupid idea... and certainly not worth a 'Fail' icon...

7
1
Silver badge

Re: @Destroy All Monsters

>You have obviously never seen a Flash Drive fail...or get lost...have you.

You work on the concept that all devices fail, and so use them redundantly. And use encryption in case they get lost.

Years back at a nuclear power station in the UK, there used to be a standalone PC in the security hut, through which all floppy disks had to be passed.

These days they tend to use laptops with custom Linux distros to connect to their network.

3
0
Bronze badge

Re: @Destroy All Monsters

USB keys need to be controlled. There are encryption-controlled USB keys. They cost $$$ more than 'normal' USB keys. The PCs can then be locked down to not allow 'other' USB keys to activate on PCs.

0
0
Silver badge

Re: @Destroy All Monsters

I suspect the USB key was to copy some log files from a non-networked controller back to some central machine where they could be backed up properly.

Probably becuase the last security review demanded that all critical machines were disconnected from the network to protect them from viruses.

1
0
Megaphone

Re: @Destroy All Monsters

@ItsNotMe

One backup is no backup.

0
0
Bronze badge

Re: Why are they backing up to a Flash Drive in the first place?

A USB drive can be used to bridge the air-gap protecting a critical system. It works well because it's a manual process that can't run itself while everybody is away. Of course, you need to keep an eye on the details or all of that security is pointless.

1
0

Just the facts mam.

Just so people don't forget, that this was NOT an internet hack, but some sort of social-engineering attack, or deliberate attack, in that infected USB drives were delivered into the hands of staff members of the facilities who then attached them to their PC's and thus compromised their systems and networks. All too often, this is how such stuff gets into play. As is often the case, people not networks are the weakest link!

2
0
Bronze badge

Re: Just the facts mam.

Maybe some operations and maintenance contracts are up for renewal at the plants in question....

0
0
Gold badge
Facepalm

"The subsequent cleanup operation was complicated by a lack of backups."

Not surprised they got infected if they're that fundamentally crap at looking after computers.

4
0
Bronze badge

Re: "The subsequent cleanup operation was complicated by a lack of backups."

This can happen if the cheapest of available quotes is always selected. It an also happen if a contract is awarded to a company on the basis that a director's relative works there.

0
0
Bronze badge
Coat

Re: "The subsequent cleanup operation was complicated by a lack of backups."

Or the old BOFH trick of directing your backups to /dev/null to speed them up and save a trip to the tape safe...

2
0
Silver badge

They'll learn

I'm sure they could design more robust systems and procedures. My guess is that they are working on the assumption that what they don't see won't hurt them. That, and going cheap where they shouldn't

0
0

I'll bet ....

the computers infected were running ..... wait for it ..... Windows!

Windows is not robust enough to use in mission-critical real-time applications like a power plant.

That is the stupid user error that enabled this in the first place.

2
1
Anonymous Coward

Re: I'll bet ....

Neither is *NIX. As a long-time Linux user, collector of old UNIX variants, and fan of the UNIX philosophy, there are very few variants that would be able to handle this. Maybe a very stable release of OpenBSD.

Windows doesn't bear all the blame for this. It's crap, but so is everything else.

6
1
Silver badge

Re: I'll bet ....

The actual real time control systems will use dedicated systems for the job. These are restricted systems and they do what the are designed to do and generally nothing more.

The management systems, on the other hand, are often Windows systems. This makes the development task of producing a system than can collate figures, poke configuration changes onto control systems, generate reports and all the normal stuff that people, or more accurately end users and managers, need to see feasible. In any properly designed system the actual operation side is independent of these management systems.

2
0
Silver badge

Re: I'll bet ....

* By restricted systems I mean proper control systems such as PLCs, not PCs.

0
0
Anonymous Coward

Re: I'll bet ....

You know a *NIX that will auto-run a USB stick ?

2
0
Bronze badge

you got

an example of a virus infection of a single GNU/Linux machine in the wild through an external media?

0
0
Silver badge

What they really need

Poor ol yanks, their nasty virus came back to kick em up the arse, if only they had had guns to protect themselves from these kinds of attacks, oh wait....

0
0

I wonder if this the place where the clever chap who outsourced his own job worked?

(see article elsewhere in El Reg, I'm too lazy to include a link)

0
0
Bronze badge
Stop

Critical point

The malware in question is 'unspecified' no where in the article does this state that this was a targeted attack.

Or that the malware was designed to disrupt the operation of these systems.

The fact they got infected is obviously a major security fail, but no where is it stated that the reason the machines were infected was deliberate.

0
0

Windows dropper

the common vuln for all these windows dropper malwares is the windows OS which we need to get rid of immediately.

1
0
FAIL

Why the hell are these system still running windows??

Are they totally dense or what? We don't even know what a virus infection looks like since switching to Linux 5 years ago. These jokers know that Stuxnet and the like where created to attach Iran (probably by the US) and now they're turning on themselves.

It's not that hard to move away from Windows, for Pete's sake!!

3
0
Anonymous Coward

Re: Why the hell are these system still running windows??

If it's a targeted attack where the attacker targets the specific company or sector, another OS will not help. Linux has more than twice the number of vulnerabilities discovered in the *kernel* compared to Windows, year after year.

If the attackers target a specific entity that uses Linux, they will just use one of the Linux vulns. Because of the distro system, an attacker who monitors kernel commits can gain information about vulnerabilities weeks or months before they sift through to the distros and become available as patches.

There has been *many* Linux vulnerabilities (and exploits) in USB drivers.

1
3
Bronze badge

@the vulnerability counter

You're just like our friend RICHTO, aren't you?

First, you combine all vulnerabilities of different severity level, say, an app can crash is equated with an arbitrary code could be executed remotely, like the last IE vuln.

Second, how long does it take for MS to patch a vuln. ? Say, the mentioned IE took MS a couple weeks, not usually the case with Linux.

Third, you're trying to compare the volumes of a daily droppings for a mouse and an elephant. Say, putting side-by-side MS products with the OS supporting lesser architecture than Linux, 1 web browser, 1 Office, 1 web server, 1 db server etc vs. 10s of Gigs of software available in distro's repos with 4-5 web browsers and server, 3-4 db servers., several Office suites and so on.

PS Those 10s of gigs are much meaner than what MS think of it . Win8 RT >12gb of disk usage for an OS and Office --> WTF?

1
0
Facepalm

*facepalms*

I guess I take back my earlier comment that we do not need specific technology security people to deal with scenarios like these. Apparently, if someone doesn't club them over the head repeatedly, the masses are unwilling to perform even basic security checks for their computers.

0
0
Anonymous Coward

Re: *facepalms*

>Apparently, if someone doesn't club them over the head repeatedly, the masses are unwilling to perform even basic security checks for their computers.

That would suggest to me that the experts should gives the masses computers that perform their own security checks (easier said than done, I know).

0
0

Reminds me of ..

trojan horse by mark russinovich

0
0

This post has been deleted by its author

Anonymous Coward

I know of power stations out there that are running SCADA control stations on Windows NT 4 Dell Desktops (Pentium III 500MHz). The software won't run on anything newer and they're biding time until the whole control system is replaced. Another station I know of has its SCADA system hooked straight into the corporate network.

Most industrial control system actually run on Windows. Siemens, GE, ABB ... The current generation of HMIs are windows boxen too (COPA-DATA Zenon or GE Cimplicity for example)

With the right controls it is all OK, but Corporate IT and Operational IT are different things, and companies often blend the two to save money.

Yes, people can really be that stupid.

2
0
This topic is closed for new posts.