When should an industrial facility be shutdown because of malware

Recently, ICS-CERT disclosed that in October 2012 a computer malware virus invaded a turbine control system at a US power plant when a technician "unknowingly" inserted an infected USB computer drive into the network, keeping the plant off line for three weeks. DHS said the malware was apparently generated by "criminal software," which has been previously used to perpetrate financial crimes. The disclosure added that the software was introduced into the facility's operating software by an employee of a third-party contractor that conducts business with the utility. This scenario brings up some very important discussions.

First some background:
- Control systems were designed to operate automatically independent of the network. In fact, a control system can continue to operate even with the network shut down.
- Many critical infrastructure control systems run Windows XP and Windows 2000 that have "auto run" features enabled by default making them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change the setting (see Stuxnet). Many times, this includes turbine controls.
- Control system vendors use USBs to update firmware and other functions. There have been cases where the control system vendors' USBs contained malware.
- Little work has been done to determine if malware can impact control system performance. When do you care about the impact of the malware on control system performance?
- Patching control systems often is not done expeditiously because of the potential for shutting facilities down. Unfortunately this has already happened.
- There is a very significant cost when power plants and other large industrial facilities are not operating. This could be tens of thousands up to millions of dollars/day depending on the facility.

Some of these issues are mutually exclusive and lead directly to the cultural conflicts between IT and Operations. In an ideal world, a control system network should be sanitized so there is no malware present. That is, a zero tolerance policy. However, there are many examples of facilities operating with malware on their control system networks because the cost of shutting down the network would result in the shutdown of the facility at significant cost whereas the malware has shown acceptable impact on the operation of the facility. On the other hand, malware such as Stuxnet could cause devastating damage to a facility.

Before a zero-tolerance policy enables an unsophisticated attacker to become a significant threat to critical infrastructure, there should be some dispassionate discussions on when a facility should be shutdown or not restarted because of malware.

Joe Weiss