At least 3000 industrial sites each year are infected with traditional malware such as viruses and Trojans, although targeted intrusions against Industrial Control Systems (ICS) are much less common, according to new research from Dragos.
The security vendor sought to cut through the hype associated with industrial control attacks by analyzing thousands of malware samples associated with ICS attacks from various public data sources including Virus Total.
It found that indiscriminate viruses like Sivis, Ramnit, and Virut, as well as other non-targeted malware, affect at least 3000 unique industrial sites each year – although the impact can usually be contained with best practice security.
“We do not need news stories because on nuclear facility was infected with Ramnit. It happens a lot,” argued Dragos CEO Robert Lee.
“It doesn’t mean that safety is ever compromised or that the sky is falling but asset owners and operators can be assured that simple best practices such as network security monitoring will absolutely contribute to better reliability in their ICS.”
The vendor’s researchers were also unable to find more than a dozen targeted ICS malware intrusions, including one piece of unnamed “crimeware” which has been masquerading as Siemens PLC software for four years around the world.
Even here, Lee claimed “there’s no reason for alarm or hype”.
“These types of cases are actually not that unique; and this is again what this research is about: highlighting that the threats are real, but not life changing, and should be taken seriously with a sound approach to the priorities in industrial environments,” he explained.
“As an example, simple supply chain awareness of software would eliminate this attack vector. Identify the digital hash of the software from the vendor, download the software, and check the hash against the known-good before installing it in the industrial environment.”
Perhaps more worrying was the discovery that many legitimate files in ICS environments are being flagged as malicious and uploaded to public databases, potentially benefitting black hats looking to gather intelligence ahead of an attack.
The Dragos team found human machine interface installers, data historian installers, and key generators for ICS software, as well as Nuclear Regulatory Commission reports, substation layouts and maintenance reports all publicly available.
Lee urged firms to pay more attention to what is being submitted to Virus Total and similar databases, and to proactively search such repositories for their own files and information.