ICS-CERT: Removable Media Flash Drive Attacks

Tuesday, July 10, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

In April, an energy company experienced a near miss incident related to a potential malware infection in its control system.

A shift supervisor was downloading information from the human-machine interface (HMI) connected to the industrial control systems (ICSs) onto a portable removable media flash drive as part of his normal duties.

At the end of the shift, the supervisor mistakenly left the removable media in the USB port of the HMI computer. Later, other workers discovered the removable flash drive in the HMI, immediately removed it, and began an investigation.

They ran antivirus scanners on the removable media, the HMI machine, and other associated systems. The antivirus scanners found the Hamweq virus on the removable media, but the other systems were clean.

The malware did not infect the HMI or the associated ICS because the auto-run function had been disabled on their systems. If auto-run had been enabled, the malware could have injected malicious code to the connected systems and created a backdoor through remote Port 6667/TCP. No malicious intent was attributed to the supervisor.

The critical error precursors that led to this incident were:

• removable media flash drives not properly marked,

• removable media flash drives that have been deemed unusable not properly segregated, and

• a personally owned removable media drive used in systems associated with ICS.

The following recommended practices concerning removable media can help to prevent infections on critical systems:

• Never insert removable media with an unknown origin into a system.

• Never mix personally owned removable media with company-owned removable media.

• Always use dedicated media for the same systems.

• Always clearly label removable media.

• Always segregate malfunctioning or suspected infected removable media from media that is deemed acceptable.

• Disable the auto-run function on ICS when practical.

Combating sophisticated attacks is challenging for any company. ICS-CERT is working with partners to evaluate a more strategic and layered approach to detecting and mitigating these threats.

ICS-CERT continues to recommend Defense-in-Depth practices and to educate users about social engineering and spear-phishing attacks.

Organizations are also encouraged to review ICS-CERT’s Incident Handling Brochure for tips on preparing for and responding to an incident.

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_May_2012.pdf

Possibly Related Articles:
15778
SCADA
Industrial Control Systems
malware Removable Media Attacks Defense in Depth ICS-CERT Flash Drive Industrial Control Systems human-machine interface Hamweq Virus
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.