In April, an energy company experienced a near miss incident related to a potential malware infection in its control system.
A shift supervisor was downloading information from the human-machine interface (HMI) connected to the industrial control systems (ICSs) onto a portable removable media flash drive as part of his normal duties.
At the end of the shift, the supervisor mistakenly left the removable media in the USB port of the HMI computer. Later, other workers discovered the removable flash drive in the HMI, immediately removed it, and began an investigation.
They ran antivirus scanners on the removable media, the HMI machine, and other associated systems. The antivirus scanners found the Hamweq virus on the removable media, but the other systems were clean.
The malware did not infect the HMI or the associated ICS because the auto-run function had been disabled on their systems. If auto-run had been enabled, the malware could have injected malicious code to the connected systems and created a backdoor through remote Port 6667/TCP. No malicious intent was attributed to the supervisor.
The critical error precursors that led to this incident were:
• removable media flash drives not properly marked,
• removable media flash drives that have been deemed unusable not properly segregated, and
• a personally owned removable media drive used in systems associated with ICS.
The following recommended practices concerning removable media can help to prevent infections on critical systems:
• Never insert removable media with an unknown origin into a system.
• Never mix personally owned removable media with company-owned removable media.
• Always use dedicated media for the same systems.
• Always clearly label removable media.
• Always segregate malfunctioning or suspected infected removable media from media that is deemed acceptable.
• Disable the auto-run function on ICS when practical.
Combating sophisticated attacks is challenging for any company. ICS-CERT is working with partners to evaluate a more strategic and layered approach to detecting and mitigating these threats.
ICS-CERT continues to recommend Defense-in-Depth practices and to educate users about social engineering and spear-phishing attacks.
Organizations are also encouraged to review ICS-CERT’s Incident Handling Brochure for tips on preparing for and responding to an incident.