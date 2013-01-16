By Jim Finkle
BOSTON Jan 16 A computer virus attacked a
turbine control system at a U.S. power company last fall when a
technician unknowingly inserted an infected USB computer drive
into the network, keeping a plant off line for three weeks,
according to a report posted on a U.S. government website.
The Department of Homeland Security report did not identify
the plant but said criminal software, which is used to conduct
financial crimes such as identity theft, was behind the
incident.
It was introduced by an employee of a third-party contractor
that does business with the utility, according to the agency.
DHS reported the incident, which occurred in October, along
with a second involving a more sophisticated virus, on its
website as cyber experts gather at a high-profile security
conference in Miami known as S4 to review emerging threats
against power plants, water utilities and other parts of the
critical infrastructure.
In addition to not identifying the plants, a DHS spokesman
declined to say where they are located.
Interest in the area has surged since 2010 when the Stuxnet
computer virus was used to attack Iran's nuclear program.
Although the United States and Israel were widely believed to be
behind Stuxnet, experts believe that hackers may be copying the
technology to develop their own viruses.
Justin W. Clarke, a security researcher with a firm known as
Cylance that helps protect utilities against cyber attacks,
noted that experts believe Stuxnet was delivered to its target
in Iran via a USB drive. Attackers use that technique to place
malicious software on computer systems that are "air gapped," or
cut off from the public Internet.
"This is yet another stark reminder that even if a true 'air
gap' is in place on a control network, there are still ways that
malicious targeted or unintentional random infection can occur,"
he said.
AGING SYSTEMS
Many critical infrastructure control systems run on Windows
XP and Windows 2000, operating systems that were designed more
than a decade ago. They have "auto run" features enabled by
default, which makes them an easy target for infection because
malicious software loads as soon as a USB is plugged into the
system unless operators change that setting, Clarke said.
The Department of Homeland Security's Industrial Control
Systems Cyber Emergence Response Team (ICS-CERT), which helps
protect critical U.S. infrastructure, described the incident in
a quarterly newsletter that was accessed via its website on
Wednesday.
The report from ICS-CERT described a second incident in
which it said it had recently sent technicians to clean up
computers infected by common as well as "sophisticated" viruses
on workstations that were critical to the operations of a power
generation facility.
The report did not say who the agency believed was behind
the sophisticated virus or if it was capable of sabotage. DHS
uses the term "sophisticated" to describe a wide variety of
malicious software that is designed to do things besides commit
routine cyber crimes. They include viruses capable of espionage
and sabotage.
A DHS spokesman could not immediately be reached to comment
on the report.
The Department of Homeland Security almost never identifies
critical infrastructure operators that are hit by viruses, or
even their locations, but it does provide statistics.
It said ICS-CERT responded to 198 cyber incidents reported
by energy companies, public water districts and other
infrastructure facilities in the fiscal year ending Sept. 30,
2012.
Attacks against the energy sector represented 41 percent of
the total number of incidents in fiscal 2012. According to the
report, ICS-CERT helped 23 oil and natural gas sector
organizations after they were hit by a targeted spear-phishing
campaign - when emails with malicious content are specifically
targeted at their employees.
The water sector had the second highest number of incidents,
representing 15 percent.