Two power plants in the US were infected with malware through USB drives during the past three months, according to the US security authority.
The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that the industrial control system at one of the power generation facilities was inadvertently infected with ‘common and sophisticated from an employee’s USB stick.
The agency said in a report that the employee routinely used this USB drive for backing up control systems configurations within the control environment.
"When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits. Initial analysis caused particular concern when one sample was linked to known sophisticated malware," the report added.
"Following analysis and at the request of the customer, an onsite team was deployed to their facility where the infection occurred.
In the second case, a power facility reported a virus infection in a turbine control system, which infected computers in October 2012.
A third-party technician had used the USB stick to upload software updates during a planned outage for equipment upgrades.
"Unknown to the technician, the USB-drive was infected with crimeware," the report said.
"The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately three weeks."
ICS-CERT advised the owners and operators of critical infrastructure to develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media.
"Such practices will mitigate many issues that could lead to extended system downtimes," ICS-CERT said.