Malicious virus shuttered U.S. power plant, says Department of Homeland Security

“A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website,” Jim Finkle reports for Reuters. “The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.”

“DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure,” Finkle reports. “In addition to not identifying the plants, a DHS spokesman declined to say where they are located.”

Finkle reports, “Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have ‘auto run’ features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, said.”

Read more in the full article here.

[Thanks to MacDailyNews Reader “Blackwolf” for the heads up.]

Related articles:
The Microsoft Tax: Malicious worm on Skype lets hackers hold Windows PCs for ransom; Macintosh unaffected – October 10, 2012
The Microsoft Tax: Critical Windows flaw affects millions of high-value PCs with self-replicating attacks – March 13, 2012
The Microsoft Tax: Virus infects Windows PC control systems of US Predator and Reaper drones – October 8, 2011
The Microsoft Tax: ‘Indestructible’ botnet attacks millions of Windows PCs; Macintosh unaffected – July 1, 2011
The Microsoft tax: Stuxnet computer worm infects Microsoft’s porous Windows OS; Mac unaffected – September 27, 2010
The Microsoft Tax: New undetectable Windows trojan empties bank accounts worldwide; Mac unaffected – August 11, 2010
The Microsoft Tax: Windows zero-day flaw exposes users to code execution attack; Mac unaffected – August 09, 2010
The Microsoft Tax: Critical flaw lets hackers take remote control of Windows PCs; Mac unaffected – August 07, 2010
The Microsoft Tax: New attack bypasses every Windows XP security product tested; Mac unaffected – May 11, 2010
The Microsoft Tax: McAfee correctly identifies Windows as malware; Macintosh unaffected – April 21, 2010
The Microsoft Tax: DNS Windows PC Trojan poses as iPhone unlock utility; Mac and iPhone unaffected – April 15, 2010
The Microsoft Tax: 1-in-10 Windows PCs still vulnerable to Conficker worm; Macintosh unaffected – April 08, 2010
The Microsoft Tax: 74,000 Windows PCs in 2,500 companies attacked globally; Mac users unaffected – February 18, 2010
The Microsoft Tax: Widespread attacks exploit Internet Explorer flaw; Macintosh unaffected – January 22, 2010
The Microsoft Tax: Windows 7 zero-day flaw enables attackers to cripple PCs; Macintosh unaffected – November 16, 2009
The Microsoft Tax: Windows 7 flaw allows attackers to remotely crash PCs; Macintosh unaffected – November 12, 2009
The Microsoft Tax: Windows virus delivers child porn to PCs, users go to jail; Mac users unaffected – November 09, 2009
The Microsoft Tax: Worms infest Windows PCs worldwide; Mac users unaffected – November 02, 2009
The Microsoft Tax: Banking Trojan horse steals money from Windows sufferers; Mac users unaffected – September 30, 2009
The Microsoft Tax: Serious Windows security flaw lets hackers to take over PCs; Macintosh unaffected – July 07, 2009
The Microsoft Tax: Windows Conficker worm hits hospital devices; Macintosh unaffected – April 29, 2009
The Microsoft Tax: Conficker virus begins to attack Windows PCs; Macintosh unaffected – April 27, 2009
The Microsoft Tax: Conficker’s estimated economic cost: $9.1 billion – April 24, 2009


      1. I still remember the dismay that went through the security community almost ten years ago after the new Department of Homeland Security announced they would be standardizing on WIndows.

        Some folks never learn. Just a few weeks ago a contract was awarded by the Defense Department for a whole slew of new Windows PCs.

  1. Of course this is completely unrelated to US efforts such as Flame or Stuxnet designed to sabotage control systems…

    The US government secures “back doors” that are inherently insecure. If they can be used by us, they can be used by “them”.

    Live by the sword, die by the sword.

    1. People unfamiliar with power plant operation might think it’s amazing that plants are connected to the internet. However, distributed control systems like WDPF and INFI90 use internal and external TCP/IP connections to exchange necessary information with other systems. Environmental control systems like stack monitoring systems are accessed remotely by the EPA. Current weather information is critical to plant operation. Many systems use the internet to transport operating and usage data from remote locations and gather it in local databases. Modern power production and delivery is highly dependent on instantaneous data reporting. Unfortunately, many of these systems still rely on Windows, although the trend is to move to Linux and Unix. These systems demand utter reliability, which means many of them are still limping along on XP due to the unreliability of newer Windows versions. Distributed control systems software is proprietary software. This means that often existing Windows systems cannot be patched because the Windows patches have not yet been tested and certified by the vendor with the vendor software. In such cases security vulnerabilities are tolerated rather than shut the systems down. The short-sightedness of utility companies in adopting systems built around Windows servers cannot be over-estimated.

  2. Three weeks! Imagine the MS help desk calls throughout that time: “My PC’s screen went dark. How do I turn up the brightness?” … “No, I can’t reach the computer from my corded phone.” … “Sorry, I can’t use the cordless phone because the power is out!”

  3. It is a catch-22 situation for Microsoft. Any advancement in their OS has always been shackled to the requirements by large enterprise clients for legacy support. Vista had continued to support DOS (in fact, I hear you can even run DOS software in Windows 7!). Anything and everything that was ever written for Windows 95 (OS that came out 18 years ago!!) is also compatible with Win 7. This is precisely what prevents MS from making their OS secure — the big enterprise needs for support of twenty years old code.

    Most recent Macs can no longer even run software written for PPC (which was discontinued in 2006). Soon enough, even 32-bit code for Intel Macs won’t be supported anymore. Apple moves rapidly and leaves behind everyone who refuses to move forward. That is the only way you can deliver secure system.

    1. It’s worse than that. Utility company applications involve processing amounts of real time data that make operating such systems the equivalent of drinking from a fire hose. Utilities cannot stored generated power. All demand for power must be responded to in milliseconds. Generation is synchronized to the demand for power instantaneously. These applications are extremely critical and MUST work flawlessly. If you have vendor supplied application software running on a Windows system, and Microsoft issues a security patch, the patch must be tested with the vendor software before it can be applied to the Windows server. Further, the vendor may have an installed base around the world that includes dozens of versions of its applications and all of them must be tested with Microsoft’s new security patch before it receives approval for installation. If a utility applies a Windows patch without vendor approval all bets are off. The vendor takes no responsibility for crashed systems, corrupted databases, or down time. The alternative is running with known security vulnerabilities. It’s a nightmare. I’m glad I retired from it.

  4. It is not surprising that Windows is used to run the system. I am surprised after all the security issues with Win2000 and XP that the PCs were not locked down completely. It sounds like the IT guys really screwed up. Hopefully there has been a nationwide directive to prevent this happening again at anymore power plants.

  5. I very much doubt that critical parts of the control systems run on Windows. You need a real time OS such as QNX or something like the Fanuc OS and other tools that are used in factory automation cells and robotics. Sensor inputs, system monitoring, and execution of control responses has to be precise, reliable, fault tolerant (through redundancy and failsafes), and robust.

    I think what they mean to say is that for stuff that is several levels removed from the control system, they may use Windows to handle information systems or information displays. Things like database management and running reports could be handled by Windows through ancillary systems. But to suggest that critical control system functions, such as safety interlocks, are handled by MS Windows is ludicrous. It couldn’t work with anything near the required failsafe requirements.

    1. Typically, QNX and other Unix/Linux variants are used for the actual operation of the controls, but reporting, GUI, and DB applications are run on a Windows Server. So the various system interfaces are typically handled by Windows servers.

    1. Actually Windows does power the computers in some older US Navy Ships it’s call Windows for War Ships and is based on Windows NT 4.0 and is the bases for Windows 2000 Server.

    1. Pete the security they were enforcing was their Job Security. So far they have done a great job of that. If the PHB confused their objective with actual security of the company data, well, that;s what PHBs are there for.

    1. I’ve got solar on my rooftop (actually on a pole next to the house since that’s where there is better solar access). But there’s not going to be storage “solutions” for the whole power grid. It’s not economics or the evil energy companies — it’s just physics. Sorry.

      It was cloudy and cold here today, my solar panels didn’t make much. They’re really nice in the summer and good in the spring and fall.

  6. OMFG:

    Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have “auto run” features enabled by default, which makes them an easy target for infection…

    I’m cringing with disgust.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.