Is Malware hiding in your ICS Network?

Most industrial organizations still consider their ICS networks to be safe from common cyber threats that mainly target IT networks. However, two recent cryptocurrency mining incidents demonstrate that  ICS networks are not "sterile" from unwanted software.

Moreover, the fact that these cyber incidents took place at critical infrastructure facilities in Europe and Russia shatters the myth that ICS/OT networks (as opposed to their IT counterparts) are "air-gapped" and that the Windows machines and other devices in those networks are shielded from malware and other cyber threats.

Two Cryptocurrency Mining Incidents in a Nutshell

Cryptocurrency Mining Malware Discovered at European Water Utility

The first incident involved the discovery of cryptocurrency mining malware in the network of a water utility provider in Europe. Based on reports, this attack is the first public discovery of an unauthorized cryptocurrency miner impacting ICS or SCADA servers.

The malware found on the utility's server was mining Monero cryptocurrency. The investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising website. This suggests that an operator at the water utility was able to surf the internet, reach a risky website and click on a link that triggered the installation of mining code on the system. 

The actual system that was initially infected by the malware was the Human Machine Interface (HMI) for the SCADA network. The HMI was running on a Microsoft Windows XP operating system, which was end-of-lifed in April 2014 and therefore not properly patched. It's worth noting that the use of outdated and unpatched operating systems is common in SCADA environments, which prefer to avoid OS updates and patching due to operational stability concerns.

The main impact of Bitcoin mining schemes, which consume substantial computing resources, is degradation of system performance. An additional risk is that malware could spread from the initial point of infection to other systems on the ICS network and consume additional resources.

Malicious Insiders Abuse Supercomputer in Nuclear Facility

The second report came out of Russia, where several scientists working at a top-secret Russian nuclear warhead facility were arrested in early February for allegedly mining crypto-currencies. According to reports, these trusted insiders tried to use one of Russia's most powerful supercomputers to mine Bitcoins, a process that requires huge computational and energy resources. This was detected only when the scientists attempted to connect the supercomputer to the internet, which raised an alert at the nuclear center's security department. The security policy prohibited such an internet connection in order to eliminate the risk of intrusion.

[White Paper] How to Adhere to the NIST Cybersecurity Framework

Security Implications for Industrial Organizations

1. Industrial control networks are reachable

Ten years ago, the air-gap sounded like a foolproof strategy: create a physical gap between the ICS network and the rest of the world so there is no way for cyber threats to infiltrate. 

This strategy is no longer relevant. Industrial organizations have adopted new connected technologies, like IIoT (Industrial IoT) devices, to enable predictive maintenance and increase manufacturing efficiency. These technologies are blurring the lines between IT and OT networks, while increasing the exposure of ICS networks to cyber attacks.

Moreover, even if you manage to completely isolate the ICS network, there are still threats from within. These types of threats range from malicious insiders, as in the Russian incident, to a careless employee connecting a malware-infected mobile device or USB drive to a Windows machine.

The “general purpose” (not ICS-specific) malware discovered in the water utility's network demonstrates, yet again, that ICS networks are easily reachable. Gone are the days when a state-sponsored campaign (e.g., Stuxnet) is needed to compromise industrial networks.

2. Industrial control networks are not governed well enough

Given the risks involved, one would imagine that industrial control networks would be well-governed and "sterile" of unwanted software. On the ground, however, Indegy often encounters situations in which this assumption couldn't be further from the truth.

To improve network hygiene, industrial organizations should conduct periodic vulnerability assessments, patching and inventories of software installed on Windows machines.

3. Due to lack of protective measures, industrial networks are at imminent risk

While patching Windows-based machines is a standard best practice in the IT world, that isn't always the case when it comes to ICS. Operator workstations may be involved in continuous processes that can't be interrupted. Take for example oil and gas companies – it's not easy to shut down a pipeline or turbines in order to patch supporting systems. System stability and safety are also major concerns. 

The inherent security risk is that unpatched operator and engineering workstations running on Windows platforms will be exploited by a malware attack. Compromised workstations could then be used to send malicious instructions to controllers, disrupt production operations, and limit visibility into the processing.  

That said, when it comes to compromising an ICS network, hacking the Windows machines is actually more difficult than gaining access to the controllers, which are not typically protected with authentication, encryption, authorization, or other standard security mechanisms. For that reason, we believe that ICS-specific threats, such as the Triton malware, will become more common going forward.

The Need for Better Visibility and Control


In order to protect their ICS networks against sophisticated cyber attacks and to ensure that unwanted software doesn't find its way into Windows machines, critical infrastructure and industrial organizations require better visibility into their asset inventory.

To build an effective security strategy, you need to know the manufacturers, models, firmware versions, latest patches and current configuration for each and every asset in your network. This includes the automation controllers (PLCs, RTUs, or DCS controllers) responsible for managing the physical processes, as well as Windows servers used by operators. A comprehensive asset inventory based on automatic asset discovery is crucial for identifying the vulnerabilities that might put an asset at risk and installing the required security updates.

By combining automated asset discovery with proactive detection and analytics tools, industrial organizations can protect their ICS networks from external and internal cyber threats.