A US-based power plant was hit with a malware attack thanks to an infected USB stick used for software updates.
The incident was revealed in a new report from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The power plant contacted CERT after discovering a virus in a turbine control system that impacted about 10 computers on its control system network, and affected operations for about three weeks.
The USB drive in question was used to back up control system configurations. However, when the technician - who was not aware of the malware - inserted the USB stick into a computer with anti-virus software, it picked up on at least three incidents of malware.
"Initial analysis caused particular concern when one sample was linked to known sophisticated malware," according to CERT, which deployed a team in October for an on-site inspection.
That team found the malware on two engineering workstations that were "critical to the operation of the control environment." Compounding the problem was the fact that there were no backups for these workstations.
"The recommended practice is to maintain a system of 'hot spares' or other effective backups for all critical systems," CERT said.
The workstations did not run anti-virus solutions due to the challenges of deploying them in a control system environment, CERT said. But anti-virus software "could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations," the organisation said.
CERT also recommended that USB devices be cleaned before use, or swapped out for CDs or DVDs that are only used once.
The incident is reminiscent of Stuxnet, a virus reportedly deployed by the US and Israeli governments in order to slow the spread of Iran's nuclear program. The actual deployment of Stuxnet was carried out by "spies and unwitting accomplices," who physically carried thumb drives loaded with the virus into the facility, according to a 2012 New York Times report.