ICS-CERT ( Industrial Control Systems Cyber Emergency Responce Team) recently provided onsite support at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment. The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation. The employee routinely used this USB drive for backing up control systems configurations within the control environment.
When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits. Initial analysis caused particular concern when one sample was linked to known sophisticated malware. Following analysis and at the request of the customer, an onsite team was deployed to their facility where the infection occurred.
ICS-CERT’s onsite discussions with company personnel revealed a handful of machines that likely had contact with the tainted USB drive. These machines were examined immediately and drive images were taken for in-depth analysis. ICS-CERT also performed preliminary onsite analysis of those machines and discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment. Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations.
With confirmation that the sophisticated malware existed on the two engineering workstations, attention shifted quickly to the remaining eleven operator stations in the control environment. Manual analysis using the known characteristics of the malware revealed no signs of the malicious software on these operator stations.
After the onsite visit, ICS-CERT had two primary goals for assisting the organization.
• Identify effective and safe cleaning procedures that could be used to remove the remaining malicious artifacts.
• Identify best practices to prevent and detect future malware infections in this
organization’s control environment.
ICS-CERT obtained a number of images and other artifacts for additional offsite analysis. The in-depth analysis of the two engineering workstations was critical in identifying safe and effective malware cleaning procedures. The cleaning procedures were developed in close coordination with the organization’s control system vendor to ensure that it would not adversely impact the workstations.
While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations.
In addition to backing up the engineering workstation configuration files, the USB drive was also transporting malware. A good backup procedure should incorporate best practices for USB usage to ensure that malicious content is not spread or inadvertently introduced, especially in critical control environments. This procedure should include cleaning the USB device before each use or the use of write-once media such as CDs or DVDs.

The organization also identified during the course of the investigation that it had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact. The recommended practice is to maintain a system of “hot spares” or other effective backups for all critical systems. The ICS-CERT report detailing the analysis and malware indicators was shared with members of the Control Systems Center on the US-CERT Secure Portal.
Source and full report:

0 yorum: