When I write about the vulnerabilities of critical infrastructure, particularly our energy sources, someone almost always comments that if the infrastructure is that critical, it shouldn’t be attached to the Internet. That’s easy to say, but it is also naïve. That way of thinking assumes that all attacks come directly from the Internet.
We should know by now that the bad guys are smarter than that, and they will use other ways to get their job done. The Stuxnet attacks, for example, came from infected USB drives. And now it appears that a U.S. energy plant was attacked in a similar manner, in an incident recently revealed by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to the report:
ICS-CERT recently provided onsite support at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment. The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation. The employee routinely used this USB drive for backing up control systems configurations within the control environment.
The malware was discovered when the IT staff put the USB drive into a computer with the latest AV software updates, and the drive generated several malware-positive responses. It also found that other computers might have been tainted by the contaminated drive. It appears that this particular USB drive was being used to back up control system configurations.
There appeared to be a lot of security failures in this whole situation. As eWeek pointed out:
ICS-CERT also found that the engineering workstations did not have backups and did not have antivirus software. US-CERT was able to clean the workstations of the malware, and it was able to remove malware from the turbine control systems that were affected.
That doesn’t instill a whole lot of confidence in the overall security of power plants and protection of the critical infrastructure, does it? In addition, USB drives that are being used should have been scanned for malware, especially since it has long been reported that this is a common way to spread malware.
As Lawrence Reusing, general manager of Imation Mobile Security, told me in an email:
Malware infestations such as this one are disastrous but avoidable, and to that end more and more enterprises and government agencies are deploying USB-based solutions where the devices are managed, are secure, and have highly effective anti-virus capabilities built right in. USB devices are key to the future of the mobile workforce. They are enormously convenient for mobile workers and proven to enhance their productivity. And they are safe to deploy if done so properly – there exist effective ways today to manage them and ensure they are secure and will not cause harm to the machines and systems with which they interact.
I’d like to say this was just a blip in security, but was it? We can talk all we want about the government taking steps to increase the cybersecurity efforts for the critical infrastructure, but good security practices need to be put into place by the industry, as well.