UPDATE 1-Malicious virus shuttered U.S. power plant -DHS

Wed Jan 16, 2013 5:53pm EST

By Jim Finkle

BOSTON Jan 16 (Reuters) - A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website.

The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.

It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.

DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure.

In addition to not identifying the plants, a DHS spokesman declined to say where they are located.

Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran's nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.

Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are "air gapped," or cut off from the public Internet.

"This is yet another stark reminder that even if a true 'air gap' is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur," he said.

AGING SYSTEMS

Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have "auto run" features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.

The Department of Homeland Security's Industrial Control Systems Cyber Emergence Response Team (ICS-CERT), which helps protect critical U.S. infrastructure, described the incident in a quarterly newsletter that was accessed via its website on Wednesday.

The report from ICS-CERT described a second incident in which it said it had recently sent technicians to clean up computers infected by common as well as "sophisticated" viruses on workstations that were critical to the operations of a power generation facility.

The report did not say who the agency believed was behind the sophisticated virus or if it was capable of sabotage. DHS uses the term "sophisticated" to describe a wide variety of malicious software that is designed to do things besides commit routine cyber crimes. They include viruses capable of espionage and sabotage.

A DHS spokesman could not immediately be reached to comment on the report.

The Department of Homeland Security almost never identifies critical infrastructure operators that are hit by viruses, or even their locations, but it does provide statistics.

It said ICS-CERT responded to 198 cyber incidents reported by energy companies, public water districts and other infrastructure facilities in the fiscal year ending Sept. 30, 2012.

Attacks against the energy sector represented 41 percent of the total number of incidents in fiscal 2012. According to the report, ICS-CERT helped 23 oil and natural gas sector organizations after they were hit by a targeted spear-phishing campaign - when emails with malicious content are specifically targeted at their employees.

The water sector had the second highest number of incidents, representing 15 percent.

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (12)
daveca wrote:
This article is so biased and loaded with hysteria, whats the point?

“when a technician unknowingly inserted an infected USB computer drive into the network,”

The technician did not know that he had inserted a USB stick?

When you cant even write a coherent sentence, go back to school.

“Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have “auto run” features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.”

Bull Bleep. Win XP has DEP to prevent that. Its unlikely the network didnt have virus scan etc. The author subtly changed subjects from “control system” to “windows 2K-XP”, I doubt most readers caught it or have enough computer background to notice the distinction.

ITs very dishonest or incompetent writing.

Further, its not evdidenced, or credible, that a virus took a whole plant down for a month, especially when:

1.) there are backup controls, that should be manual
2.) no explanation of how that took the entire PLANT down
3.) no explanation of how that happened and resulted in the whole plant being down for a month, when it only takes minutes to a few hours to reload all the computers\

More false reporting and hysteria:

“The report from ICS-CERT described a second incident in which it said it had recently sent technicians to clean up computers infected by common as well as “sophisticated” viruses on workstations that were critical to the operations of a power generation facility.”

Four step process, 15 minutes

1. power computers down,
2 go to manual control
3. swap with a clean, sterile hard drives
4 power computers up

Sorry, too much engineering background to accept this trash.

This is all BS reporting designed to float the hysteria that the Gummit needs to control computer networks.

Jan 16, 2013 8:08pm EST  --  Report as abuse
jdm15 wrote:
It’s fairly evident that the virus didn’t shut the plant down. The plant was voluntarily shutdown for incident remediation after the virus was detected. It likely took three weeks to return the plant to operational status for a number of possible reasons, including 1) lack of sufficient (legacy) replacement equipment, 2) insufficient operational procedures or training in handling this type of incident, or 3) insufficient budget to enable expeditious remediation and restoration of service.

Jan 16, 2013 8:40pm EST  --  Report as abuse
daveca,

“This is all BS reporting designed to float the hysteria that the Gummit needs to control computer networks.”

You make some very good, common sense points in your comment. If these USB sticks are such a big problem, why in 2013 are critical power companies allowing the use of such devices?

What is your opinion that this might be a ill-fated attempt at sabotage, corporate or national?

Also, concerning this dishonest or incompetent writing.. perhaps this journalist needs to research his or her subject matter better! Then again, i am sure a news organization like wired would be 10X better suited for this subject matter.

Jan 16, 2013 9:13pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.