Most Industrial Control Systems Get Infected with Malware by Accident

Share this…

The vast majority of malware incidents that take place at industrial facilities around the world are just accidental infections, albeit a very small number of targeted attacks have also been detected.

This is the conclusion of a study carried out by researchers from cybersecurity firm Dragos, who took a look at over 500,000 reported cyber attacks on industrial facilities and analyzed over 30,000 samples of infected ICS files and installers dating back to 2003, that have been submitted to Virus Total.

ICS systems aren’t always placed on isolated networks

Their work, which intended to clarify the plethora of misreported and over-hyped press articles, revealed that most of these malware incidents are the work of mundane malware that has, in most cases, reached ICS networks by accident.

ICS, which stands for Industrial Control Systems, are generally made up of two parts: the SCADA equipment which acquires data from sensors and controls industrial machines; and the software that allows human operators to control that equipment.

While there’s very little malware that can literally run on SCADA equipment per-se, these industrial systems are vulnerable through the computers used to manage their activity.

All security best practices dictate that these systems, including the SCADA management computers, be isolated not only from the Internet but also from other factory networks. In real life, this doesn’t always happen, as there are clear benefits from controlling SCADA equipment over the Internet.

Over 3,000 facilities infected with mundane malware each year

Because of this lack of proper network segmentation, common malware, such as Sivis, Ramnit, and Virut, often find their way onto computers controlling SCADA equipment. In all cases, these malware infections are harmless, as they don’t come with special components to target and take down industrial facilities.

According to Dragos experts, around 3,000 industrial facilities suffer such “accidental” infections with non-targeted malware.

The prime example for this is the Gundremmingen nuclear power plant in Germany, which shut down for a few days in April 2016 due to an infection with the Conficker worm on one of the plant’s IT networks.

Targeted attacks have been detected

But this doesn’t mean attacks with specialized (targeted) malware on ICS systems don’t exist. Dragos experts say they’ve also detected such attacks based on evidence from incidents going back at least four years.

In our research, we found a dozen such ICS-themed malware intrusions. Of the dozen ICS-themed malware cases one really stood out. Starting in 2013 there were submissions from an ICS environment in the US for Siemens programmable logic controller (PLC) control software. The various anti-virus vendors were flagging it as a false positive initially and then eventually a basic piece of malware. Upon our inspection, we found that variations of this file and Siemens theme 10 times over the last 4 years with the most recent flagging of this malicious software being this month in 2017. In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software.

Such attacks are rare, but SCADA-targeting malware is becoming more popular. We already know about Stuxnet, Havex, BlackEnergy2, and Irongate (which appears to be the malware Dragos experts were referring above).

On top of this, security researchers created in laboratory environments a proof-of-concept SCADA worm called PLC-Blaster, and an SCADA-targeting ransomware called LogicLocker.

Industrial facilities, ICS vendors have poor OpSec

The reasons why this type of malware incidents are growing is also because more and more SCADA equipment is being put online.

“Historically ICS was designed to be completely segregated and confined by physical boundaries. However, each new IP address punches another hole in the metaphorical wall that separates Information Technology (IT) and Operational Technology (OT),” Edgard Capdevielle, CEO, Nozomi Networks tells Bleeping Computer.

“Having established IT connectivity it’s difficult to put the genie back in the bottle,” he adds. “Currently, security in control systems today is bolted on rather than designed in and that’s like selling a car with seatbelts as an optional extra.”

This lack of awareness to security issues was also noted by Dragos experts, who observed various issues with operational security (OpSec) at industrial facilities and with ICS/SCADA vendors.

For example, legitimate ICS software (human machine interface installers, data historian installers, and key generators) was discovered in public databases (such as VirusTotal, for example).

“We found over 120 project files that were flagged and submitted to these public databases,” experts said, arguing that an adversary only needs to download this software to learn how it works, and design its malware around its features.

And as if this wasn’t bad enough, there were even more sensitive data. “There were a number of unique reports, NRC (Nuclear Regulatory Commission) reports, substation layouts and maintenance reports, and more all in the database,” experts added.

For these instances, Dragos experts advise industrial facilities to have a talk with their IT security teams and review what type of files from inside their network gets posted online. A review of the antivirus software that gets used at these facilities is also in order, as some AV vendors will submit files to VirusTotal at a later point.

Chances that something changes are small. If ICS vendors and industrial facilities cared about their operational security, then 92% of all Internet-available ICS hosts wouldn’t contain vulnerabilities to begin with.

The work of Dragos security experts, called MIMICS (Malware In Modern ICS) will be presented at various security conferences this upcoming year.