back to article Viruses infect vital control systems at TWO US power stations

Two US power stations were infected by malware in the last quarter of 2012, according to a report by the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). USB flash drives packed with software nasties were blamed for a compromise of industrial control systems in both …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    god forbid that the US gets hammered by the same malware infecting Iranian nuke facilities.

    1. What of IT?

      that's what I'd call shitting on your own doorstep ;)

      1. Destroy All Monsters Silver badge
        Trollface

        It's like the AR-15 direct impingement system!

  2. ukgnome
    FAIL

    Don't they have sysadmins and their pesky group policies?

  3. Nick Ryan Silver badge
    FAIL

    Oh FFS, just how incompetent do they have to be. Turn off, disable and kill auto-run with prejudice. It's not an especially difficult concept to grasp, but so many industrial control systems still have it enabled.

    I'll admit that MS have made it moronically hard to fully disable unless XP SP3 is installed along with one or more updates, prior to that turning it off didn't actually turn the fecking thing off completely. After all, MS knows best on how to propagate viruses easily and what harm can there be from automatically running executable files from arbitrary removable devices?

    1. dogged
      Meh

      Assuming the systems in question run Windows.... Neither the article nor the accompanying PDF specify an OS.

      1. Anonymous Coward
        Anonymous Coward

        "Assuming the systems in question run Windows.."

        Care to suggest another operating system that is so lax ?

        1. Anonymous Coward
          Anonymous Coward

          > Care to suggest another operating system that is so lax ?

          Linux.

          http://www.h-online.com/open/news/item/USB-driver-bug-exposed-as-Linux-plug-pwn-1203617.html

          http://www.charlescurley.com/blog/archives/2011/03/13/linux_usb_vulnerability/index.html

          http://news.softpedia.com/news/Researcher-Demonstrates-USB-Autorun-Attack-on-Linux-183611.shtml

          http://linux.slashdot.org/story/11/02/07/1742246/usb-autorun-attacks-against-linux

          http://www.muktware.com/news/761/once-upon-time-there-was-usb-vulnerability-linux#.UPbg6Seqlws

          1. eulampios

            you got

            an extremely weak case here... you don't have a case. One can discuss potential risks associated with external media on GNU/Linux. Another matter is to actually see it's happening in the wild. Of course there is always an explanation of blaming 1% of users that no bad guy really cares about.

          2. Chemist

            "Linux.."

            Evening RICHTO,

            What you fail to grasp is that the 'examples' you give are bugs, which may or may not be exploitable. With older versions of Windows it was a design choice to let USB sticks auto-execute.

    2. Arctic fox
      Windows

      @Nick Ryan: You are surely not suggesting that there are companies out there........

      "unless XP SP3 is installed along with one or more updates"

      .................running XP without both SP 2 and SP3 - say it ain't so. Nobody could be that stupid could they?

      1. Brewster's Angle Grinder Silver badge
        Facepalm

        Re: @Artic Fox: You are surely not suggesting that there are companies out there........

        ".................running XP without both SP 2 and SP3 - say it ain't so. Nobody could be that stupid could they?"

        These are industrial control systems so they are probably running Windows 98.

        1. RW
          Boffin

          Re: @Artic Fox: You are surely not suggesting that there are companies out there........

          They'd probably be safer running DOS.

        2. Fuzz

          Re: @Artic Fox: You are surely not suggesting that there are companies out there........

          Windows 98 would be no problem, there's no way anyone got 98 to recognize a USB flash drive.

      2. Big-nosed Pengie
        FAIL

        Re: @Nick Ryan: You are surely not suggesting that there are companies out there........

        "Nobody could be that stupid could they?"

        They're running Windows. So yes, yes, they could.

        1. dogged
          Stop

          @Big-nosed Pengie

          They're running Windows

          [citation needed]

  4. ItsNotMe
    WTF?

    Why are they backing up to a Flash Drive in the first place?

    Seriously? A Flash Drive for backups? In a corporate environment?

    1. Destroy All Monsters Silver badge

      Re: Why are they backing up to a Flash Drive in the first place?

      Not a bad idea IMAO.

      1. ItsNotMe
        FAIL

        @Destroy All Monsters

        You have obviously never seen a Flash Drive fail...or get lost...have you.

        1. Psyx
          Stop

          Re: @Destroy All Monsters

          "You have obviously never seen a Flash Drive fail...or get lost...have you."

          You don't just rely on one tape back-up, so why assume anyone would rely on one USB.

          As to the loss thing, there is literally no reason why the drives can't be chained to a brick!

          I'd rather trust and use USB back-up than optical media or tape. It's not perfect, but with safeguards it's not an inherently stupid idea... and certainly not worth a 'Fail' icon...

          1. Yet Another Anonymous coward Silver badge

            Re: @Destroy All Monsters

            I suspect the USB key was to copy some log files from a non-networked controller back to some central machine where they could be backed up properly.

            Probably becuase the last security review demanded that all critical machines were disconnected from the network to protect them from viruses.

        2. Dave 126 Silver badge

          Re: @Destroy All Monsters

          >You have obviously never seen a Flash Drive fail...or get lost...have you.

          You work on the concept that all devices fail, and so use them redundantly. And use encryption in case they get lost.

          Years back at a nuclear power station in the UK, there used to be a standalone PC in the security hut, through which all floppy disks had to be passed.

          These days they tend to use laptops with custom Linux distros to connect to their network.

          1. Beachrider

            Re: @Destroy All Monsters

            USB keys need to be controlled. There are encryption-controlled USB keys. They cost $$$ more than 'normal' USB keys. The PCs can then be locked down to not allow 'other' USB keys to activate on PCs.

        3. harmjschoonhoven
          Megaphone

          Re: @Destroy All Monsters

          @ItsNotMe

          One backup is no backup.

    2. Kevin McMurtrie Silver badge

      Re: Why are they backing up to a Flash Drive in the first place?

      A USB drive can be used to bridge the air-gap protecting a critical system. It works well because it's a manual process that can't run itself while everybody is away. Of course, you need to keep an eye on the details or all of that security is pointless.

  5. William Boyle

    Just the facts mam.

    Just so people don't forget, that this was NOT an internet hack, but some sort of social-engineering attack, or deliberate attack, in that infected USB drives were delivered into the hands of staff members of the facilities who then attached them to their PC's and thus compromised their systems and networks. All too often, this is how such stuff gets into play. As is often the case, people not networks are the weakest link!

    1. JohnG

      Re: Just the facts mam.

      Maybe some operations and maintenance contracts are up for renewal at the plants in question....

  6. TeeCee Gold badge
    Facepalm

    "The subsequent cleanup operation was complicated by a lack of backups."

    Not surprised they got infected if they're that fundamentally crap at looking after computers.

    1. JohnG

      Re: "The subsequent cleanup operation was complicated by a lack of backups."

      This can happen if the cheapest of available quotes is always selected. It an also happen if a contract is awarded to a company on the basis that a director's relative works there.

      1. Pet Peeve
        Coat

        Re: "The subsequent cleanup operation was complicated by a lack of backups."

        Or the old BOFH trick of directing your backups to /dev/null to speed them up and save a trip to the tape safe...

  7. Ole Juul

    They'll learn

    I'm sure they could design more robust systems and procedures. My guess is that they are working on the assumption that what they don't see won't hurt them. That, and going cheap where they shouldn't

  8. hypernovasoftware

    I'll bet ....

    the computers infected were running ..... wait for it ..... Windows!

    Windows is not robust enough to use in mission-critical real-time applications like a power plant.

    That is the stupid user error that enabled this in the first place.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'll bet ....

      Neither is *NIX. As a long-time Linux user, collector of old UNIX variants, and fan of the UNIX philosophy, there are very few variants that would be able to handle this. Maybe a very stable release of OpenBSD.

      Windows doesn't bear all the blame for this. It's crap, but so is everything else.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'll bet ....

        You know a *NIX that will auto-run a USB stick ?

      2. eulampios

        you got

        an example of a virus infection of a single GNU/Linux machine in the wild through an external media?

    2. Nick Ryan Silver badge

      Re: I'll bet ....

      The actual real time control systems will use dedicated systems for the job. These are restricted systems and they do what the are designed to do and generally nothing more.

      The management systems, on the other hand, are often Windows systems. This makes the development task of producing a system than can collate figures, poke configuration changes onto control systems, generate reports and all the normal stuff that people, or more accurately end users and managers, need to see feasible. In any properly designed system the actual operation side is independent of these management systems.

      1. Nick Ryan Silver badge

        Re: I'll bet ....

        * By restricted systems I mean proper control systems such as PLCs, not PCs.

  9. Khaptain Silver badge

    What they really need

    Poor ol yanks, their nasty virus came back to kick em up the arse, if only they had had guns to protect themselves from these kinds of attacks, oh wait....

  10. Syed

    I wonder if this the place where the clever chap who outsourced his own job worked?

    (see article elsewhere in El Reg, I'm too lazy to include a link)

  11. annodomini2
    Stop

    Critical point

    The malware in question is 'unspecified' no where in the article does this state that this was a targeted attack.

    Or that the malware was designed to disrupt the operation of these systems.

    The fact they got infected is obviously a major security fail, but no where is it stated that the reason the machines were infected was deliberate.

  12. The Alpha Klutz

    Windows dropper

    the common vuln for all these windows dropper malwares is the windows OS which we need to get rid of immediately.

  13. TheRealLifeboy
    FAIL

    Why the hell are these system still running windows??

    Are they totally dense or what? We don't even know what a virus infection looks like since switching to Linux 5 years ago. These jokers know that Stuxnet and the like where created to attach Iran (probably by the US) and now they're turning on themselves.

    It's not that hard to move away from Windows, for Pete's sake!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Why the hell are these system still running windows??

      If it's a targeted attack where the attacker targets the specific company or sector, another OS will not help. Linux has more than twice the number of vulnerabilities discovered in the *kernel* compared to Windows, year after year.

      If the attackers target a specific entity that uses Linux, they will just use one of the Linux vulns. Because of the distro system, an attacker who monitors kernel commits can gain information about vulnerabilities weeks or months before they sift through to the distros and become available as patches.

      There has been *many* Linux vulnerabilities (and exploits) in USB drivers.

      1. eulampios

        @the vulnerability counter

        You're just like our friend RICHTO, aren't you?

        First, you combine all vulnerabilities of different severity level, say, an app can crash is equated with an arbitrary code could be executed remotely, like the last IE vuln.

        Second, how long does it take for MS to patch a vuln. ? Say, the mentioned IE took MS a couple weeks, not usually the case with Linux.

        Third, you're trying to compare the volumes of a daily droppings for a mouse and an elephant. Say, putting side-by-side MS products with the OS supporting lesser architecture than Linux, 1 web browser, 1 Office, 1 web server, 1 db server etc vs. 10s of Gigs of software available in distro's repos with 4-5 web browsers and server, 3-4 db servers., several Office suites and so on.

        PS Those 10s of gigs are much meaner than what MS think of it . Win8 RT >12gb of disk usage for an OS and Office --> WTF?

  14. lightknight
    Facepalm

    *facepalms*

    I guess I take back my earlier comment that we do not need specific technology security people to deal with scenarios like these. Apparently, if someone doesn't club them over the head repeatedly, the masses are unwilling to perform even basic security checks for their computers.

    1. Anonymous Coward
      Anonymous Coward

      Re: *facepalms*

      >Apparently, if someone doesn't club them over the head repeatedly, the masses are unwilling to perform even basic security checks for their computers.

      That would suggest to me that the experts should gives the masses computers that perform their own security checks (easier said than done, I know).

  15. MissingSecurity

    Reminds me of ..

    trojan horse by mark russinovich

  16. This post has been deleted by its author

  17. Anonymous Coward
    Anonymous Coward

    I know of power stations out there that are running SCADA control stations on Windows NT 4 Dell Desktops (Pentium III 500MHz). The software won't run on anything newer and they're biding time until the whole control system is replaced. Another station I know of has its SCADA system hooked straight into the corporate network.

    Most industrial control system actually run on Windows. Siemens, GE, ABB ... The current generation of HMIs are windows boxen too (COPA-DATA Zenon or GE Cimplicity for example)

    With the right controls it is all OK, but Corporate IT and Operational IT are different things, and companies often blend the two to save money.

    Yes, people can really be that stupid.

This topic is closed for new posts.

Other stories you might like