November 27, 2014

Malware found in U.S. power plants, should America be worried?

us-cert logo(LiveHacking.Com) – According to a new report (pdf) released by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

The first case came to ICS-CERT’s attention when it was contacted by the staff at a power generation facility. Several different bits of malware, which has been classified as both common and sophisticated, were discovered when an employee asked IT staff to inspect a USB drive used to back up control systems configurations within the control environment.

Initial analysis of the malware, found on the USB drive, raised some alarms since one of the infections was linked to known sophisticated malware. ICS-CERT engineers went on-site and took drive images of the infected hardware. The engineers also discovered two critical engineering workstations, which were infected by the malware, that had no backups, and an poor or incorrect removal of the malware would have significantly impaired the operation of the power plant.

A cleanup procedure was developed and executed together with the organization’s control system vendor to ensure that it would not adversely impact the critical workstations.

The second case happened in early October. A power company contacted ICS-CERT to inform it malware infection in a turbine control system. The malware infected around ten computers on the control system network that was down due to a scheduled outage for equipment upgrades. The infection resulted in more than planned downtime and delayed the plant restart by approximately 3 weeks.

“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media. Such practices will mitigate many issues that could lead to extended system downtimes,” said the ICS-CERT report. “Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events”

It is clear that these key infrastructural facilities need to have the correct security and backup policies and procedures in place, something which is sorely lacking at the moment.

Was There a Cyber Attack at Water Plant in Illinois?

(LiveHacking.Com) – There has been lots of discussion about an alleged cyber attack on a water plant in Illinois. The story broke last week when Illinois officials said they were investigating the report of a water pump failure. Then Joe Weiss, a managing partner for Applied Control Solutions, revealed details of a cyber attack. Joe stated in his blog that the SCADA software vendor was hacked and customer usernames and passwords stolen and that during the attack the SCADA system was powered on and off repeatedly and so burned out a water pump. The golden proof, according to Joe, was that the IP address of the attacker was traced back to Russia.

Now, The FBI and the US Department of Homeland Security (DHS) are crying foul. According to an email sent to members of the Industrial Control Systems Joint Working Group, detailed analysis has found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

Cover up? Media hype? Paranoia?

The email from the FBI and DHS slams down the rumors hard saying:

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.  In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.  Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

They do admit that there was an incident where a hacker claimed to have accessed an industrial control system responsible for water supply in the city of South Houston. The hacker posted a series of images allegedly obtained from the system. The FBI are still investigation this incident.

But is this the end? Probably not, according to Brian Krebs Weiss has a report, which he is refusing to publish, which states that:

“An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia.”

And that

“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”

So the internal report says yes, definitely a cyber attack but the FBI say no… Who will you believe?

Stuxnet: The Industrial Sabotage Mystery Deepens

Since its discovery a few months ago, the purpose and intention of the Stuxnet worm has remained shrouded in mystery. This Windows based worm is the first ever malware designed to attack industrial equipment.

Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers).

[ad code=6 align=left]

PLCs contain code to control automated industrial systems in manufacturing plants or factories. Programmers use the Siemens’ software from a Windows PC to create code and then upload their code to the PLCs. The Stuxnet worm infects the PCs and then uploads its own code to the PLC.

Since the discovery of Stuxnet, conspiracy theories about its purposes have been rampant and these theories have included nation states, well funded hackers, Israeli spies and Iran’s nuclear program. But Symantec have just revealed (http://www.symantec.com/connect/blogs/stuxnet-breakthrough) that the Stuxnet virus only attacks systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran. This is sure to reignite the speculations about its target and origin.

What Stuxnet does is monitor the frequency of these drives and only attacks systems that run between 807Hz and 1210Hz which is very high and only used in particular industrial applications. Stuxnet then modifies the output frequency for a short time to 1410Hz and then to 2Hz and then to 1064Hz and thus effects the operation of the connected motors.

Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.

If you work with PLCs and variable-frequency drives over 807Hz please contact Live Hacking as soon as possible as you might be able to shed some light on this increasingly mysterious malware.

Stuxnet Traget U.S. Power Grid System

U.S. Power grid system is based on control system software from Siemens AG. This system has been targeted by Stuxnet malware recently.

According to Computerworld, Stuxnet exploits a Windows flaw to find and steal industrial data from supervisory control and data acquisition (SCADA) systems running Siemens’ Simatic WinCC or PCS 7 software.

SCADA systems are used to control critical equipment at power companies, manufacturing facilities, water treatment plants and nuclear power operations. This malware is the first publicly known malicious software program written specifically to exploit vulnerabilities in a SCADA system.

Furthermore, it was a report in The Wall Street Journal about the cyber-spies from China, Russia and elsewhere who had gained access to the U.S. electrical grid and installed malware tools that could be used to shut down service recently. However, a group of cybersecurity specialist has been deployed from U.S. department of homeland security to study and investigate the U.S. department of energy network after this report.