American Critical Infrastructures shut down by cyber attacks

According to a report from U.S. Department of Homeland Security’s Cyber Emergency Response Team, two U.S. power plants have been infected with computer viruses – and one was shut down by a malicious software infection carried into its control systems on USB sticks.

The report warns also that ICS-CERT responded to 198 cyber incidents reported by energy companies, public water districts and other infrastructure facilities in the fiscal year ending Sept. 30, 2012.

Attacks against the energy sector represented 41 percent of the total number of incidents in fiscal 2012. ICS-CERT helped 23 oil and natural gas sector organizations after they were hit by a targeted spear-phishing campaign – when emails with malicious content are specifically targeted at their employees.

The water sector had the second highest number of incidents, representing 15 percent.

Power Infrastructure
An American power plant was forced offline for three weeks last fall by malicious software carried into its control systems when a technician unknowingly inserted an infected USB computer drive into the network.

Another plant found a similar malware infection in computers which controlled turbine systems.

The cases were reported by the U.S. Department of Homeland Security’s Cyber Emergency Response Team – which also predicted a rise in such infections.
DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure.

the Stuxnet family
Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran’s nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.

DHS said the malicious software, which is used to perpetrate financial crimes like identity theft, attacked the turbine control system at the unidentified power company. Analysts believe a similar USB device was used to launch the Stuxnet cyberattack at an Iranian nuclear facility in 2010.

“The team discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment.”

USB devices are useful for attacks on computers that are “air gapped,” or cut off from the public Internet. DHS also reported a second cybersecurity incident at another plant which it said the department had dispatched technicians to clean up computers critical to the operations of the power generation facility. The incidents were reported as cybersecurity experts convened at the high-profile S4 conference in Miami to review emerging threats against power plants and other critical infrastructure. ( Reuters, Yahoo)

“The vast majority of targeted computer attacks now start with a malicious e-mail sent to a company employee,” writes Nicole Perlroth for the New York Times. “Now evidence suggests that the same technique could be used to attack watersheds, power grids, oil refineries and nuclear plants.”

Stuxnet was designed to make centrifuges at the plant spin out of control, damaging them beyond repair – it was built specifically to spread to industrial computer systems, carried on USB sticks or infected laptops.

Other tests showed that attacks on similar ‘programmable logic controllers’ – simple computer systems used to control industrial systems – could cause damage in the real world.

In November 2011, security researchers in America showed that some computer controlled cell doors in prisons could be opened remotely via the internet.

Earlier tests in 2007 proved that hackers could overwhelm a diesel generator, causing it to self destruct. At the time, the U.S. government described such cyber attacks as ‘a new kind of weapon’.

Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive.

Attackers use that technique to place malicious software on computer systems that are “air gapped,” or cut off from the public Internet. “This is yet another stark reminder that even if a true ‘air gap’ is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur,” he said.

Aging Systems and the USB drive use
Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have “auto run” features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergence Response Team (ICS-CERT), which helps protect critical U.S. infrastructure, described the incident in a quarterly newsletter.