JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Malicious virus shuttered power plant: US Government


Jim Finkle

The energy sector accounted for 41 per cent of total number of cyber incidents in the US 2012.

The energy sector accounted for 41 per cent of total number of cyber incidents in the US 2012. Photo: Peter Andrews / Reuters

A computer virus attacked a turbine control system at a US power company when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a US government website.

The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.

It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.

DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure.

In addition to not identifying the plants, a DHS spokesman declined to say where they are located.

Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran's nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.

Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are "air gapped," or cut off from the public Internet.

"This is yet another stark reminder that even if a true 'air gap' is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur," he said.

Aging Systems 

Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have "auto run" features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.

The Department of Homeland Security's Industrial Control Systems Cyber Emergence Response Team (ICS-CERT), which helps protect critical US infrastructure, described the incident in a quarterly newsletter that was accessed via its website on Wednesday.

The report from ICS-CERT described a second incident in which it said it had recently sent technicians to clean up computers infected by common as well as "sophisticated" viruses on workstations that were critical to the operations of a power generation facility.

The report did not say who the agency believed was behind the sophisticated virus or if it was capable of sabotage. DHS uses the term "sophisticated" to describe a wide variety of malicious software that is designed to do things besides commit routine cyber crimes. They include viruses capable of espionage and sabotage.

A DHS spokesman could not immediately be reached to comment on the report.

The Department of Homeland Security almost never identifies critical infrastructure operators that are hit by viruses, or even their locations, but it does provide statistics.

It said ICS-CERT responded to 198 cyber incidents reported by energy companies, public water districts and other infrastructure facilities in the fiscal year ending September 30, 2012.

Attacks against the energy sector represented 41 per cent of the total number of incidents in the US in fiscal 2012. According to the report, ICS-CERT helped 23 oil and natural gas sector organisations after they were hit by a targeted spear-phishing campaign - when emails with malicious content are specifically targeted at their employees.

The water sector had the second highest number of incidents, representing 15 per cent.


6 comments so far

  • I work in this industry and am involved in the day-to-day operation of such equipment including the maintenance of the control systems.

    A stand alone power station (such as Loy Yang, Yallourn and Hazelwood) which has its control system networked, (a system commonly called a Distributed Control System or DCS) would be highly negligent if it was connected to the internet, didn't have adequate virus protection and human security systems set up (such as the prevention of thumbdrives and the like being connected to such a network).

    It's a worry that the overall electrical system could have an internet based network because if a hacker was able to connect to it, that person could then start opening off circuit breakers, operating remote operated isolators at full load (which could cause a lot of damage locally) and so on.

    And then there are the remote operated stations such as wind farms and gas turbine peaking plant which require some sort of wide area networking in order to he remotely operated which could be at risk.

    Such activities could destablise the system which could lead to what we call a "System Black".

    And before power could be restored or the system re-established the operators such as SP Ausnet, AEMO and VENcorp could need to hunt down, isolate and eradicate the source of the infection.

    Date and time
    January 17, 2013, 11:06AM
    • I agree, the lapses in security described above (the use of Windows and the contractor inserting "an infected USB computer drive into the network") are literally unbelievable. We are not being told the whole story here.

      Date and time
      January 18, 2013, 6:08AM
  • Clarke's statement about the designs of WinXP and Win2000 being old implies that they are weak because they are old, which isn't quite fair on the software engineering profession. The design for UNIX (and subsequent derivatives such as Linux) for example, is over 40 years old, and is very stable and secure, because UNIX in its various forms has been maintained and developed since that time. Perhaps the power company made a poor decision when it chose vulnerable software as its operating system.

    Date and time
    January 17, 2013, 5:47PM
    • Having degrees in business admin and a masters in IT, I am continually astounded that people use Microsoft Windows for mission critical systems, it should be illegal. Windows was never even designed to be an operating system, it is a collection of upgrades, patches and hacks which you will never find running an; operating theatre, space station, satellite, weapons platform, phone network etc, however all it takes is one cretin to deploy it for anything others than word processing and this is the result. Eventually we will have enforceable standards and laws to keep Wndows where it belongs.......which in itself is a question with iPads and GoggleDocs now almost ubiquitous.

      Date and time
      January 17, 2013, 6:58PM
      • FrankM and Edward - I agree and I struggle to believe that anyone would use MS Windows in mission-critical applications. FrankM I disagree about one thing: Is Windows now secure enough for word processing?

        Date and time
        January 18, 2013, 9:37AM
    • Its misleading stating the fault lies with Windows XP and Windows 2000. USB device lock down, port lock down, and the common practice of Network administrator only to have Command rights to networks (allows .exes to run) is common practice. XP etc is easily capable of this, albeit sometimes with cheaply available third party software.
      Its not the OS. It's with the common trend I see all the time of poor security practices, no training of staff and employing numpty administrators who don't know or don't care about security.
      So look to the managers and their budgets. IT and ICT security are usually the first to suffer in budgets cuts, way before they will cut that office renovation or the new coffee machines.
      You reap what you sow.

      Date and time
      January 17, 2013, 11:37PM

      Make a comment

      You are logged in as [Logout]

      All information entered below may be published.

      Error: Please enter your screen name.

      Error: Your Screen Name must be less than 255 characters.

      Error: Your Location must be less than 255 characters.

      Error: Please enter your comment.

      Error: Your Message must be less than 300 words.

      Post to

      You need to have read and accepted the Conditions of Use.

      Thank you

      Your comment has been submitted for approval.

      Comments are moderated and are generally published if they are on-topic and not abusive.

      HuffPost Australia

      Follow Us

      Featured advertisers