Illustrating how vulnerable critical attacks on infrastructure can be, a United States government site revealed that a computer virus infected the systems of a turbine control system run by U.S. power company last fall. The said incident occurred after a technician plugged in an infected USB drive to a computed in the network, affecting the plant for nearly 3 weeks.
According to the Department of Homeland Security, a criminal software similar to ones used in financial hacking attacks, was behind the incident. The department did not specify which plant was hit.
The virus was unknowingly introduced by an employee of third-party contractor, which normally does business with the plant, the agency said.
The Department of Homeland Security revealed the incident, together with a second one that involved a more sophisticated virus, in its website at the time when cyber experts were gathering for a high-profile security meeting in Miami called S4. The conference was called to review cyber threats against water utilities, power plants, and other critical infrastructures.
The agency did not also say where the plant was located.
Interest in this field has reached new heights following the well-publicized Stuxnet computer virus attack on one of Iran’s nuclear facilities in 2010. it was believed by many that the United States and Israel were the architects of the virus. Now experts believe that bad elements may have copied the technology and are developing their own versions.
Justin W. Clarke , a security researcher of Cylance, a firm that helps protects critical infrastructure like utilities from attacks, believes that Stuxnet was infused to Iran’s network through a USB drive. This is a common technique by attackers to deliver malicious programs to computer networks insulated from public Internet, called “air gapped” systems.
“This is yet another stark reminder that even if a true ‘air gap’ is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur,” Clarke said.
Most of today’s critical infrastructures are still being controlled by systems running Windows 2000 and XP operating systems, software designed over a decade ago. Most of these system have “auto run” enabled, making them easier target for infection as malwares can start spreading as soon as a USB flash drive is plugged in to the network, Clarke said.
The attack on the U.S. power plant was described by a unit of Department of Homeland Security called Industrial Control Systems Cyber Emergence Response Team (ICS-CERT) in a quarterly newsletter available on the agency’s website. ICS-CERT is responsible for ensuring critical infrastructures in the U.S. are protected against cyber attacks.
The ICS-CERT report also revealed a second incident which it recently send technicians to check and clean up systems infected by common and “sophisticated” malwares on computers deemed necessary to the operations of a power plant.
The report did not say who the perpetrators are, or whether the virus was capable of sabotage. A “sophisticated” virus is defined by DHS as a malware that is designed to the routine cyber crimes as well as capable of sabotage and espionage.
DHS does not usually provides the name and location of an infrastructure hit by a virus, though statistics can be given.
The agency was able to log 198 cyber attacks against energy companies, public water utilities, and other infrastructure during the fiscal year that ended on September 30, 2012.
The energy sector was hit the most, tallying 41 percent of the total attacks during the last fiscal year. ICS-CERT said that 23 natural gas and oil sector organizations reported to have been targeted by a spear-phishing campaign–a type of malware attack using emails addressed to employees.
The water sector composed 15 percent of the total attacks.