Return to blog

Reports are circulating on Heise Online, VirusBlokAda and KrebsonSecurity of a new virus that targets control systems. The virus is spread on USB drives via a zero-day vulnerability in Windows 7. Worse, the code involved shows a RealTek signature. Frank Boldewin found that the malware uses the PCS vendor-default password to extract a small amount of data from a control system database. Commentators are pointing to this virus as evidence of a professional espionage effort of some sort.

The reliability of these reports is not clear at this time. Apparently Microsoft is having trouble reproducing the zero-day vulnerability and there is little detail on what else the malware does. Is this an account/password harvesting tool with dozens of vendor passwords in the component? Or something more sinister targeted specifically at control systems?

If these early reports do prove accurate, the malware will be unusual in two respects: both the use of an unknown zero-day vulnerability and the use of a well-known vendor's key suggest an unusually sophisticated adversary, and of course it is unusual to see malware targeting a control system at all, much less malware using such a sophisticated propagation vehicle.

What is not so unusual is to see trojan, virus and worm infestations of control systems. Control systems tend to be compromised with such malware much less frequently than enterprise systems, but the most common control system compromise we do see is common malware. In the experience of our field people, the most common vector our customers identify for these compromises is USB flash sticks.

The average control system components are particularly vulnerable to this kind of malware, since they tend to be less well-patched than enterprise systems. This begs the question: why bother embedding control-system-targeted malware in a previously unknown zero-day attack? The answer is in the minds of our adversaries. If the analysis that this is a control system attack holds up, my guess is that they use a sophisticated vehicle for spreading their malware, intending to propagate it widely through the better protected enterprise network in order to reach someone likely to carry a USB stick to a control system component.

Until we have more information about this particular piece of malware, it is not clear what consequences it may have for the targeted control system components. Most often, malware on control systems has no obvious adverse effect at all. Malware tends to be detected by AV tools, or by firewall logs when the malware contacts its own control server, or by increased system or network loads as the malware consumes resources.

However, in our experience, the most common organizational response to a virus infestation is to perform an emergency shut down and clean-out of the compromised parts of the control system. Many operations sites have stringent safety and change control programs in place. Even if an initial investigation suggests that the malware in question may not have an immediate effect on the control system, or that the malware is at low risk of propagating, safety-conscious sites will not take chances. Sometimes there is enough redundancy in the control system that even with affected components shut down, the physical process can continue running. Other times, this is not so, and the entire process is shut down while operations staff do an emergency rebuild of the compromised components.

What can you do about threats like this? You have to start with a deep suspicion of USB keys. Flash sticks are the new floppies. Sometimes a flash stick or an external drive is required to move large amounts of data into or out of control systems components without impacting network performance. More commonly, flash sticks are considered a convenient way to get data into and out of a control system component without worrying about firewalls or network connections.

Stop it! Data should only be introduced into control system components through trusted paths -- from machines, media or networks you are certain are clean. Frequent reformatting of flash sticks helps a bit. You are better off to completely disable the use of USB mass storage devices on your control systems. You don't need to disable your USB ports altogether - just use the technology available to disable mass storage devices on those ports.

In addition, security standards and regulations like NERC CIP require that vendor-default passwords be changed when a system is installed. The vehicle for transmitting this particular malware was sophisticated, but the malware itself thus far seems pretty simple - log into a database using the vendor-default password. Simply changing the password on your control systems frustrates attacks like this one.

A more sophisticated response is the use of a Host Intrusion Protection System (HIPS). These systems sign authorized software on your control system hosts and refuse to let unsigned software run. Like this piece of malware, the vast majority of malware initially uses a highly technical attack on an existing vulnerability to install and launch one or more executables, in this case from the USB stick. Since those executables will not have been signed by the HIPS, the HIPS will block their execution, even if it cannot block the initial attack on the Windows vulnerability. This prevents a persistent infection of the device and reduces the initial attack to a denial of service attack on the vulnerable windows component. Better yet, some HIPS solutions come bundled with "disable USB mass storage" technology.

Broader protection against professional espionage agencies is much harder. Professionals use a variety of channels to attack and until we see more and clearer evidence of sophisticated attacks, or we see serious security regulations come through, I don't see most firms protecting against professional threats. The feedback we have from our customers is that, given the lack of clear evidence of professional threats to control systems, they are unable to make a compelling business case for budgets to combat such threats.