Though most malware infecting ICS environments are random, Dragos did find a crimeware program targeting facilities with Siemens programming logic controllers since 2013.
Though most malware infecting ICS environments are random, Dragos did find a crimeware program targeting facilities with Siemens programming logic controllers since 2013.

Approximately 3,000 unique industrial sites per year are randomly infected with conventional, generic malware, while attacks involving malware specifically designed to target industrial control systems (ICS) are far less common, according to a new study from Fulton, Md.-based ICS security company Dragos.

"Malware is indeed making its way into ICS environments and is largely opportunistic. We finally have a good sense of the scale of this due to VirusTotal and can move past guesswork," said Ben Miller, Dragos' director of threat operations, in an email interview with SC Media. 

After analyzing approximately 15,000 samples collected from the malware scanning service VirusTotal over a three-month period, researchers working on Dragos' "Malware in Modern ICS (MIMICS)" project determined that the viruses Sivis, Ramnit and Virut were among the malicious programs most frequently found in industrial settings. In a blog post Tuesday, Dragos explained that such infections are very commonplace and typically do not represent a danger to physical safety.

On the other hand, tailored threats such as the BlackEnergy malware campaign that sabotaged the Ukrainian power grid can in some instances pose a significant hazard to industrial environments. But in its collected samples, Dragos could find only 12 instances where malware was intentionally designed to infiltrate industrial control systems. 

Of these dozen examples, one of the most serious was a crimeware program that since 2013 has repeatedly attempted to compromise a specific U.S.-based industrial environment via its Siemens programmable logic controller (PLC) software. In its report, Dragos states that this activity was recorded 10 times over the last four years, and as recently as March 2017.

Findings from the report also support Dragos' position that IT security teams who are not always familiar with the ins and outs of ICS environments are sometimes guilty of flagging legitimate ICS software programs as malicious. Dragos reported findings thousands of unique pieces of ICS software including human machine interface installers, data historian installers, and key generators placed in public malware databases, where outsiders can access them.

"This means that adversaries can simply download these software files and leverage access to them for their own learning and practicing, the report warns.

Dragos reported it found more than 120 legitimate ICS project files that were incorrectly flagged and submitted to public malware databases, including reports from the Nuclear Regulatory Commission, substation layouts and maintenance reports.

"We were a bit surprised at how much [VirusTotal] is being used by ICS security staff," said Miller. "Unfortunately, some providers and users don't understand what they are uploading can result in data leakage in the form of engineering, compliance, and maintenance that should not have been uploaded."