Everyday Malware Poses a Risk to Critical Infrastructure

Many people believe that only state-sponsored attacks can endanger critical infrastructure. They claim that such elaborate malware capable of targeting the inner workings of Industrial Control Systems (ICS) are not the work of simple hackers. This flawed perception completely disregards the fact that ICS can fall victim to the most banal malware – and in fact recent attacks demonstrate this vulnerability.

In April, a German nuclear plant was infected with old malware, including Conficker and W32.Ramnit, which are designed to allow remote control when connected to the internet. It remains unclear whether the plant’s OT system was infected as well. Even if only the IT systems were infected, there is but a thin line separating the critical components from being compromised as well.

The operator at the plant claimed the plant’s operation was not at risk, since it is isolated from the internet. While isolation is important, malware can still cause significant damage even without being connected to the internet. To illustrate, along with the inherent risk of a breach in this incident, 14 USB devices in the plant were infected. If only one of them had found its way into the restricted sections of the network, the plant’s whole operation could have been endangered.

In another case also in April, the Board of Water and Light in Lansing, Michigan, fell victim to a ransomware attack. The utility’s computer system was intentionally shut down to remediate the infection. During this time, the phone lines, including the line used for reporting outages, were disabled. The infection occurred in a very ordinary way: a user who opened a malicious document allowed the ransomware to enter. Even though the attack was not aimed at the utility itself, the malware could have infiltrated the utility’s sensitive network segment through the smallest of cracks. There are types of ransomware that could cause havoc even in an OT system, and the result could have been far worse.

Attacking ICS through the IT network

One of the top three threat vectors to critical infrastructure is an attack on the IT. A recent report by ICS-CERT indicated that spear phishing is the main ICS attack vector. Whether the initial infection intentionally targets the specific ICS network is irrelevant. The ease with which attackers manage to infect such sensitive organizations is disturbing, to say the least. Ironically, in many cases it is the IT network that has the strongest defenses. If the IT network is so vulnerable, we can only imagine the state of the OT defenses.

To secure a critical infrastructure one needs a holistic approach; defending all the vulnerable links, as well as the connections between them. Protecting critical infrastructure or industrial automation requires a consolidated threat prevention approach, as well as ICS/SCADA protection know-how and capabilities.

Critical infrastructure organizations have large and elaborate IT and OT networks to look after. Given this, they should have a unified management platform, which displays alerts and collects logs in a single control pane. Comprehensive visibility is essential since attacks can spread between the two networks. Often, visibility to only one of them can allow an attack to go undetected. Only a full view of both networks will allow administrators to stay in control and properly protected.

In most of the published attacks deliberately targeting ICS, the malware began by attacking the IT side of the network. ICS-focused protection alone will not be able to prevent these types of attacks. In the best of cases it will only detect or alert about them. We at Check Point believe prevention, and not detection, is key. This is particularly important when protecting such sensitive assets.

To learn more information about Check Point’s products for critical infrastructure, click here.