The virus, a Trojan used for identity theft, was unwittingly introduced by a technician working for a third party contractor, and kept the power plant offline for three weeks.
“When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits,” says the DHS’s Computer Emergency Readiness Team (ICS-CERT) in a report.
“Initial analysis caused particular concern when one sample was linked to known sophisticated malware.”
The malware, it says, was found on two engineering-based workstations that are critical to the control of the power station. Neither workstation had any effective backup, it says.
And ICS-CERT says another unidentified power plant was also hit by a more sophisticated virus, again introduced on a USB stick. The infection, in a turbine control system, affected around ten computers.
“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable
media,” says ICS-CERT.
“Such practices will mitigate many issues that could lead to extended system downtimes.”
USB sticks are a notoriously simple way for attackers to gain entry to industrial control systems. Both the Stuxnet worm and the Flame malware, reportedly developed by the US and Israel to attack systems in Iran, relied on USB drives to gain access.