A few days ago the State Department made public in a report that multiple power plants in the United States were affected by USB based malware during the beginning of October 2012. One of the plants reported a virus infection in a turbine control system. The system was infected when a technician updated software from a USB flash drive that was infected with malware that spread to at least 10 more computers. The entire power plant was taken offline for three weeks.
The second power plant’s computers were discovered to be infected after an employee asked IT staff to check his system after experiencing issues with the USB port which was used routinely for backup up of control system configurations. The IT administrator ran an antivirus update revealed “known sophisticated malware”. Further investigation revealed the malware was on two workstations that were critical to the operation of the control environment. In addition the systems in this case had no backup and a wipe of the systems would have impaired operations of the plant.
Several years ago I spent a lot of time researching and working with USB based malware. I had built a website USBHacks.com (now offline) that focused on the tools, mitigation strategies and general information regarding USB based malware. Several tools were made available to highlight the damage that could be done with a simple flash drive, from infecting a network, installing backdoors and stealing data. The site ended up being quite popular and I received some interesting inquiries and information from both sides of the law.
What is amazing is that that even today even with more awareness and Microsoft finally removing autorun functionality, flash drives continue to be a key mechanism through which malware is spread to systems. Even within highly secured environments including Air Force drone control systems, the International Space Station, and now as we have seen systems controlling critical infrastructure (ie. Stuxnet), flash drives continue to be a thorn in our side.
Why are flash drives still a problem?
Convenience: Many organizations have policies regarding the use of removable media devices in their environments. However these policies can prove inconvenient and hinder productivity making them difficult to enforce. In the case of the Air Force drone control systems being compromised, flash drives are against policy, but the policies were apparently waived in this case, as maps and other data had to be loaded across systems that were not networked. In the case of industrial control systems, they are usually not connected to an outside network and so to update software a flash drive is used. In the case of the International Space Station incident in 2008, it is believed the infection came from a personal flash drive one of the ISS residents.
Weak Internal Policies & Controls: Another key factor is that as general rule internal systems are not secured as tightly as external facing systems, usually due to budget issues and more relaxed policies as a trade off for increasde productivity. It becomes a question of risk vs. cost and as a result internal security configurations and policies are more lax. As a result it is easier to attack a network from the inside than the outside, once an attacker has their foot in the door it is simply a matter of covering their tracks.