In the 4th quarter of 2012, the Industrial Control Systems (ICS) team within CERT responded to multiple instances of power plant and utility control systems being infected with malware. In at least two of these, featured in ICS-CERT Monitor articles, the use of infected USB drives was identified as the means of transmission. Both cases illustrate the need for rigid backup and removable device policies. In one, the drive was used as the sole method of backing up critical workstations, and the other involved a third-party technician unwittingly infecting equipment while updating software using a USB drive. An important reminder to all who service networked devices…
As discussed in previous posts (see Hardware Hacking category), vulnerabilities in equipment connected directly to the Internet are capturing most of the attention these days. ICS-CERT recently summarized “Project SHINE,” which filtered and researched systems identified via the SHODAN search engine, looking for those most likely to control critical infrastructure. In the end, they determined that 7,200 devices (out of an initial list of more than 500,000) were directly related to control systems. With assistance from CERT, the group of researchers has been notifying owners about the potential exposure to attack, but this issue will be with us for a long time to come.
ICS-CERT also published a summary of the incidents by sector for 2012:
Additional Information about SHINE: “SHINE stands for SHodan INtelligence Extraction. Managed by Bob Radvanovsky and Jake Brodsky of InfraCritical, it is a project to locate probable sites where control systems hardware may be running openly (without encryption or authentication of any sort) on the Internet. These include everything from hospital patient monitoring systems, building automation, Distribution SCADA RTUs, PLC gear, smart meters, traffic control systems, point of sale systems, security and fire alarm systems, and so on.”
The Shodan search engine can be found here.