AusCERT2012: Anti-virus a SCADA kill switch

Powered by SC Magazine
 

Can't build Stuxnet? Crack the operating system.

Catastrophic failure” would have hit a major US gas utility last year if security technicians had run anti-virus to remove a prolific malware infection.

The malware had embedded itslelf into dozens of machines within the unnamed utility provider and created malicious files that bore identical filenames to those that were critical to the operations of the core SCADA (Supervisory Control and Data Acquisition) system.

Complete coverage of AusCERT 2012

Had AV been run, it would have removed both the infection and the critical files, grinding energy production to a halt.

If they had run AV, they would have erased the core files for the SCADA system destroying its ability to function,” says Mark Fabro, president and chief security scientist of Lofty Perch.

“But we have seen entire catastrophic failures of very, very big SCADA systems.”

One such failure affected a large US critical infrastructure operator within the natural resources sector. Technicians had run an AV scan which quarantined and removed files in an underlying operating system that crippled the SCADA system.

But another operator was more lucky. In a previous instance, Fabro had intercepted and physically prevented security technicians from running AV to remove a worm found in machines critical to SCADA systems.

The security team had planned to “parachute in” and deploy AV to kill the infection as part of normal incidence response. But in doing so, administrative rights would have been enabled, allowing the malware to propagate throughout operational shares and spread through the critical infrastructure network.

The only thing that stopped them is that only the master SCADA, and not the secondary systems, were running in administrative mode,” Fabro said.

“We had to physically stop the IT security team from logging in as administrator because the moment they would have done that, the worm would have rushed through the SCADA system and eradicated the functional files.”

The US power plant had averted disaster by not reacting on gut instinct when it received news of the infection from a vendor technician. He discovered the malware on the flight home from the plant when he plugged a USB stick, last used on the SCADA system, into his laptop. His AV flagged an infection.

Fabro was called and together with a crack flyaway team, took off to the plant. It was their job to establish the extent of the infection, how it got onto the network, and how it could be removed.

This was a non-trivial task,” Fabro said.

The multi-tiered, high-powered facility could not be taken offline for system imaging during the forensic investigation. The team was further constrained because it had to work around plant operations, engineers and even the weather.

Further, the network was a homogeneity of different vendor systems, some with and some without AV.

The existence of the malware was confirmed in two principal devices at the primary facility, and the team developed a theoretical map of what the malware would likely happen and where it would spread.

Over the following month – much of it spent waiting for an opportune time to access the systems – the team would use live memory analysis to tap into memory and perform analysis on rebooted systems, identify infected systems, utilise backups, and recreate the the infection process.

The team had tracked the likely origin of infection to four removable drives, including an iPhone, which were plugged into the system at the time it was built. They recovered serial numbers for the suspect USB sticks and even photos left on the system that were owned by the engineers thought responsible.

Like similar infections, the malware was run-of-the-mill and not tailored to take down the SCADA system. It was, as Fabro describes, a “pain in the arse” botnet malware designed for denial of service attacks which, left unchecked, would have disrupted the SCADA systems by draining resources.

For Fabro, the investigation highlighted the importance of tailored incident response for critical infrastructure, the need to synchronised clocks which is vital in forensic investigation, and the realisation that operating systems underlying SCADA applications could be vulnerable.

There are about 250 vulnerabilities in vendor-specific SCADA platforms, but if someone can hack into the underlying Windows or Unix environment using a vulnerability, they can go up into the SCADA system just as if they broke into the system itself.”

Copyright © SC Magazine, Australia


AusCERT2012: Anti-virus a SCADA kill switch
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1461

Vote