The malware is, however, yet to be named. ICS-CERT in a publication said one of the attacks resulted from infections from a flash drive used by one of the engineers at the facility.
According to ICS-CERT, initial analysis caused particular concern when one sample was linked to known sophisticated malware. At the request of the customer, an onsite team was deployed to the facility where the infection occurred.
ICS-CERT’s onsite discussions with company personnel revealed a handful of machines that were likely to have had contact with the tainted USB drive, which were examined immediately and drive images taken for in-depth analysis.
ICS-CERT recommends that the power facility come up with new USB usage guidelines, including the cleaning of a flash drives before each use to minimise the risk of such malware.
In the second facility, a virus hit 10 computers in the turbine control room.
On further investigations, the ICS-CERT team discovered that software upgrades that were mostly done through USB devices had resulted in the infection. The result was a delay in the restarting of the plant by nearly three weeks, as well as downtime for the impacted machines.
The team is now calling on the plants to ensure they have up-to-date upgrades of their antivirus software.
“Such practices will mitigate many issues that could lead to extended system downtimes. Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events,” ICS-CERT said.