A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website.
The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident. It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.
DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure. In addition to not identifying the plants, a DHS spokesman declined to say where they are located.
‘Air gap’ on a control network
Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran's nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.
Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are ``air gapped,'' or cut off from the public Internet. ``This is yet another stark reminder that even if a true 'air gap' is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur,'' he said.
Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have ``auto run'' features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.
The Department of Homeland Security's Industrial Control Systems Cyber Emergence Response Team (ICS-CERT), which helps protect critical U.S. infrastructure, described the incident in a quarterly newsletter that was accessed via its website recently.
The report from ICS-CERT described a second incident in which it said it had recently sent technicians to clean up computers infected by common as well as ``sophisticated'' viruses on workstations that were critical to the operations of a power generation facility.
The report did not say who the agency believed was behind the sophisticated virus or if it was capable of sabotage. DHS uses the term \"sophisticated'' to describe a wide variety of malicious software that is designed to do things besides commit routine cyber crimes. They include viruses capable of espionage and sabotage.