What kind of malware is hitting industrial control systems, and how worried should we and the operators of theses systems actually be?
These are question that Ben Miller, Director of the Dragos Threat Operations Center, has took it upon himself to answer, by sifting through data regarding ICS incidents collected over the last 13+ years and available from public datasets.
The results of the analysis
Miller’s analysis revealed that targeted ICS intrusions are rare.
But, interestingly enough, variants of the same malware disguised as software for Siemens programmable logic controllers (PLCs) has been flagged 10 times over the last 4 years, and the latest occurrence was early this month.
“The malware is simply crimeware but has seemingly been effective,” Lee noted, but says that there is currently no reason for alarm. “Stuxnet set the bar high for the expectation that ICS tailored malware is required to target and disrupt operations,” he pointed out. He also noted that incidents like these can be easily minimized by practicing software supply chain validation.
Non-targeted IT infections are, by comparison, far more numerous.
“There are around 3,000 unique industrial sites a year that are infected with traditional non-targeted malware,” Dragos CEO Robert M. Lee shared. This type of malware includes viruses and Trojans, and usually ends up on industrial sites’ IT systems because it is inadvertently brought in by employees, via infected USB sticks.
Lee argues that, while these infections may have an impact on these environments or give adversaries access, operators should not be too worried about them, and reports about this type of infection should not be news.
“We do not need news stories because one nuclear facility was infected with Ramnit,” he noted, as it happens a lot. “It doesn’t mean that safety is ever compromised or that the sky is falling but asset owners and operators can be assured that simple best practices such as network security monitoring will absolutely contribute to better reliability in their ICS.”
Finally, he says that IT security teams unused to ICS environments are helping potential attackers by not recognising legitimate ICS software and flagging it as malicious. This software thus unintentionally ends in public databases, where adversaries might get their hands on it and analyse it, and use that knowledge to hone their attacks.
And, as these databases are also known to include various types of reports by regulatory commissions and maintenance crews, there is even more helpful information in those databases for attackers to misuse.
“Have a discussion with the IT security teams (out-sourced or on-site) on what is legitimate and what should not be submitted to the internet, validate what your security technologies are submitting to databases such as VirusTotal, and be proactive in looking at such databases for your own files and information,” he advises owners and operators of industrial control systems.