U.S. power plants combat USB malware infections

U.S. power plants combat USB malware infections

Summary: It is not only online threats that the country's infrastructure has to deal with, but also tainted USB drives, according to the U.S. Department of Homeland Security.

TOPICS: Security
usb infections malware america power plant

How can you bring down a critical part of a country's infrastructure? Introduce an infected USB drive into the system.

According to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), two power plants in the three months leading to the end of 2012 reported infections -- a number which is likely to rise in the coming year unless we begin taking cybersecurity threats to our infrastructure more seriously.

The ICS-CERT Monitor report (.pdf) states that both "common and sophisticated" malware was found at a power generation facility in one case, discovered after an employee had issues connecting a USB drive to a workstation.

Although the type of malware wasn't revealed, the report mentions that "the employee routinely used this USB drive for backing up control systems configurations within the control environment," which could prove to be a loophole hackers could routinely exploit to connect with the most important systems within a power plant. In addition, ICS-CERT said that sophisticated malware was found on two engineering-based workstations that are "critical" to the control of the power station.

A lesson to be learnt in this case: neither workstation had viable backups, and unless the infection was properly removed, it could have seriously hampered the plant's operations.

Although malware was not found on 11 other workstations examined, unless security is tightened when it comes to USB storage systems, there is no reason why external drives could not be used to transport such malware, and human error could become the core reason a plant is infected.

In the second case documented by the report, a power company reported a viral infection in a turbine control system which hampered the performance of roughly ten computers within its control network. After a third-party technician used a USB drive to upgrade software when equipment was being renewed, the malware took hold. As a result, the plant's reopening was delayed for three weeks.

ICS-CERT suggests that a common-sense approach is the best method to try and combat USB-borne infections. Adopting new USB guidelines, maintaining the cleaning of a device before use -- including write-once media like DVDs -- should be compulsory, and antivirus software should be kept up-to-date. If a simple USB stick can cause a power station to go down, as cyberattacks become more sophisticated, basic protocols have to be in place in order to protect critical infrastructures that keep cities moving.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • U.S. power plants combat USB malware infections

    a harbinger of byod threat to corporate america.
    • I agree

      BRing your own disaster, BYOD works best with virtual desktop infrastructure, let them work in your virtual environment only.
      Malcolm Rivett
  • Prevention

    A a It manager of a high school, There's a few ways to combat USB malware.

    Group policy lock out of app and script launching from specific drives. Via app locker, if I recall.
    Disable auto run via group policy or There's a registry which only allows auto run on cd roms only.

    I used these techniques to stop USB Trojans from re infecting my infrastructure, when their existence first started showing... Worked well, a new one popped up which hides all USB contents, and then creates short cuts to the content, plus an extra string which also runs the virus at the same time. I think if I also disabled *.lnk then this should prevent that too.

    That and some strict AV rules. But I never rely on antivirus, it only stops known threats, I prefer script / application and host location blocking... E.g. Preventing write access to %appdata% and other common places these host files try to save when infected from websites.
    Malcolm Rivett