Internet-connected industrial control systems (ICS) have become a growing concern for cybersecurity professionals. Anxiety spiked after a German nuclear power plant had to shut down in April 2016 because of a Conflicker worm that got into its networks. The concern has grown so much that many worry about the integrity of the electrical power grid.

Revamping ICS Evaluation

Researchers at Dragos recently wondered if the right kind of metrics were being used to quantify the situation and if the right questions were being asked.

Traditional Windows malware may be totally unable to run on the underlying control software that manipulates ICS sensors and devices. An infected ICS may be a great node with which to communicate with command-and-control (C&C) servers and infect other devices, but the malware is highly unlikely to be able to directly affect the controlled system.

To get to the bottom of this risk, Dragos analyzed ICS malware files that were being publicly acknowledged by ICS operators to VirusTotal or other databases. The company claimed to find 30,000 infected ICS files and installers that dated all the way back to 2003.

Identifying Malware

Researchers identified 3,000 unique industrial sites per year that are infected with traditional nontargeted malware, which might be found on any internet-connected machine. This kind of software will not have any direct effect on ICS hardware operation.

But Dragos did find 12 examples of specialized malware targeting ICS operations. One specific malware was designed to look like Siemens control software and had been observed as active in the wild for the last four years.

Edgard Capdevielle, CEO of Nozomi Networks, told Bleeping Computer, “Historically, ICS was designed to be completely segregated and confined by physical boundaries. However, each new IP address punches another hole in the metaphorical wall that separates information technology and operational technology.” Having more industrial systems connecting to the internet means more targets for cybercriminals.

Dragos’ report on its investigation is called “Modern Industrial Control Systems (MIMICS).” According to the report, one of the main problems affecting ICS is that sensitive datasets — such as official documents and installers — are being submitted to public infrastructure due to poor operations security practices around analyzing and identifying malicious software in the ICS. In fact, antivirus vendors may be flagging legitimate ICS software as bogus and submitting it to public databases.

Ultimately, the firm’s research is creating a foundation for gathering real-life metrics. More efforts such as this could bring clarity to the sensationalized sector of ICS malware.