ECS-CERT Describes Safety System Malware

Washington, DC

The ECS-CERT today announced that they had discovered a new cybersecurity worm that specifically targets safety control systems. The newly discovered UNSICHER worm was discovered during an ECS-CERT investigation of a control system incident at a chemical plant in the mid-west, according to Immanuel C. Securitage, an ECS-CERT spokesman.

Securitage reported that an ECS-CERT team was called to the facility when the safety systems started shutting down chemical manufacturing systems operating under safe conditions. The investigators quickly isolated the malware. Working with Robotron, the company that sells the SicherheitsKontrolle safety control system, ECS-CERT was able to identify how the isolated safety system was infected.

Erich Mielke, the Robotron spokesman, explained that the SicherheitsKontrolle was a completely air-gapped safety system. Technicians from the company are the only ones that are able to connect to the system as they are the only ones that have both the physical and software keys to access the firewire port on the system that is used for installing updates and patches.

Securitage reported that apparently the Robotron technician that installed the latest update had picked up the worm on his laptop when he plugged into an airport charging port in route to install the latest update. UNSICHER was found both on the technician’s laptop and all of the Robotron systems that he updated on that particular trip.

When the SicherheitsKontrolle system is infected, Mielke explained, it attempted to establish a communication link between one of the Robotron PLCs connected to the safety system using the wireless communications link Robotron uses to allow wireless connections to sensors used in the process. Once the connection link between the normally isolated safety system and the facility control system is made, the worm tries to establish a communications link to a command and control computer under the control of the attacker.

Securitage suggested that anyone using the Robotron PLCs as part of a safety system lock-out the wireless ports by setting the DIP switches provided for that purpose as the UNSICHER worm is able to bypass the software locks on those ports.

ECS-CERT reports that there was no physical damage caused at the facility where the worm was discovered, but that the company suffered almost $1 million in losses due to lost production and rework disposal costs.

FEC Fines Robotron for Control System Tracking

This afternoon the Federal Electronics Commission announced a $1.2 million fine was levied against Robotron, the German electronic control system manufacturer, for the exfiltration and sale of manufacturing data from hundreds of US companies. David Weeb, the FEC spokesman, reported that this is the first fine the Commission has levied for industrial data exfiltration.

The FEC notice explained that the Robotron had used its MotorSteuerung software to collect data from electric motors in thousands of facilities around the world. While the data collection was originally designed to provide preventive maintenance information to customers, Robotron has admitted that they have been selling the data to electric motor manufacturers around the world.

Robotron President Erich Mielke said in a prepared statement that Robotron had initially started using the data for marketing their variable speed motors. When the Electric Motors Division was sold off as part of a restructuring move three years ago, Robotron decided to start selling the data to other electric motor manufacturers.

Mielke explained that the detail performance data helped to provide important sales leads and data to enable motor sales people to make the case for switching to more expensive variable speed motors.

This practice came to the FEC’s notice recently when a terrorism investigation by the Federal Bureau of Inquiry discovered that sophisticated knowledge of the operation of a motor in an HVAC system allowed hackers from the Stasi Ehemalige hacking collective to start the recent fire in a synagogue near Houston, TX.

Johnathan Quest, an FBI spokesman, told reporters that Robotron was probably not the direct source of the information used by the Stasi group. He said that the FBI believes that an insider at an unnamed electric motor manufacturer with close ties to Stasi Ehemalige provided the Robotron information to the group. The FBI hopes to make arrests soon in that case where two people were killed and hundreds injured in the synagogue fire.