Malware has infected two US power plants in recent months, the US Cyber Emergency Readiness Team (Cert) has revealed.
The malware infected each plant's system via an infected USB stick connected to critical IT systems, according to the US Cert’s industrial control systems newsletter.
In one case, a USB drive tainted with crimeware infected a turbine-control system at a US power plant in early October. The infection took the plant offline for three weeks.
Cert found a third-party technician had used a USB drive to upload software updates during a scheduled outage for equipment upgrades.
At another plant, government computer experts discovered "common and sophisticated malware" on several workstations, including two that were critical to the plant's operation.
The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation.
The employee routinely used the USB drive for backing up control systems configurations in the control environment.
No effective backup or antivirus policy
Read more about critical national infrastructure cyber attacks
- Critical infrastructure under continual cyber attack, says report
- Stuxnet proves cyber attacks on critical infrastructure are possible, say researchers
- Critical infrastructure protection hindered by difficulties, experts say
- Evasion threat to critical systems goes ignored, says Stonesoft
- Is UK critical national infrastructure properly protected?
- Critical security skills gap threatens UK infrastructure
Detailed analysis was conducted as these workstations had no backups and an ineffective or failed cleanup would have significantly impaired their operations.
While the implementation of an antivirus solution presents challenges in a control system environment, the US Cert said it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations.
“A good backup procedure should incorporate best practices for USB usage to ensure malicious content is not spread or inadvertently introduced, especially in critical control environments,” the newsletter said.
“This procedure should include cleaning the USB device before each use or the use of write-once media such as CDs or DVDs.”
The industrial control systems Cert said it was important that owners and operators of critical infrastructure should develop and implement baseline security policies for:
- Maintaining up-to-date antivirus definitions;
- Managing system patching;
- Governing the use of removable media.
“Defence-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events,” the newsletter said.
Since the discovery of Stuxnet in 2010, governments have become increasingly concerned about the potential of malware to cause physical damage to critical national infrastructure.