The ECS-CERT today announced that they had discovered a new cybersecurity worm that specifically targets safety control systems. The newly discovered UNSICHER worm was discovered during an ECS-CERT investigation of a control system incident at a chemical plant in the mid-west, according to Immanuel C. Securitage, an ECS-CERT spokesman.
Securitage reported that an ECS-CERT team was called to the facility when the safety systems started shutting down chemical manufacturing systems operating under safe conditions. The investigators quickly isolated the malware. Working with Robotron, the company that sells the SicherheitsKontrolle safety control system, ECS-CERT was able to identify how the isolated safety system was infected.
Erich Mielke, the Robotron spokesman, explained that the SicherheitsKontrolle was a completely air-gapped safety system. Technicians from the company are the only ones that are able to connect to the system as they are the only ones that have both the physical and software keys to access the firewire port on the system that is used for installing updates and patches.
Securitage reported that apparently the Robotron technician that installed the latest update had picked up the worm on his laptop when he plugged into an airport charging port in route to install the latest update. UNSICHER was found both on the technician’s laptop and all of the Robotron systems that he updated on that particular trip.
When the SicherheitsKontrolle system is infected, Mielke explained, it attempted to establish a communication link between one of the Robotron PLCs connected to the safety system using the wireless communications link Robotron uses to allow wireless connections to sensors used in the process. Once the connection link between the normally isolated safety system and the facility control system is made, the worm tries to establish a communications link to a command and control computer under the control of the attacker.
Securitage suggested that anyone using the Robotron PLCs as part of a safety system lock-out the wireless ports by setting the DIP switches provided for that purpose as the UNSICHER worm is able to bypass the software locks on those ports.
ECS-CERT reports that there was no physical damage caused at the facility where the worm was discovered, but that the company suffered almost $1 million in losses due to lost production and rework disposal costs.