Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Is Malware Hiding in Your Industrial Security Network?

Is Malware Hiding in Your Industrial Security Network?

Recent malware attacks reveal the extent to which critical infrastructure facilities are vulnerable to cyber threats. Here's how to protect your industrial network from the next attack.

Most industrial organizations still consider their industrial control system (ICS) networks to be safe from common cyber threats that mainly target IT networks. However, two recent cryptocurrency mining incidents demonstrate that ICS networks are not "sterile" from unwanted software.

Moreover, the fact that these cyber incidents took place at critical infrastructure facilities in Europe and Russia shatters the myth that ICS or operational technology (OT) networks (as opposed to their IT counterparts) are "air-gapped" and that the Windows machines and other devices in those networks are shielded from malware and other cyber threats.

Two cryptocurrency mining incidents in a nutshell

Cryptocurrency Mining Malware Discovered at European Water Utility

The first incident involved the discovery of cryptocurrency mining malware in the network of a water utility provider in Europe. Based on reports, this attack is the first public discovery of an unauthorized cryptocurrency miner impacting ICS or supervisory control and data acquisition (SCADA) servers.

The malware found on the utility's server was mining Monero cryptocurrency. The investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising website. This suggests that an operator at the water utility was able to surf the internet, reach a risky website and click on a link that triggered the installation of mining code on the system. 

The actual system that was initially infected by the malware was the human machine interface (HMI) for the SCADA network. The HMI was running on a Microsoft Windows XP operating system, which was end-of-lifed in April 2014 and therefore not properly patched. It's worth noting that the use of outdated and unpatched operating systems is common in SCADA environments, which prefer to avoid OS updates and patching due to operational stability concerns.

The main impact of Bitcoin mining schemes, which consume substantial computing resources, is degradation of system performance. An additional risk is that malware could spread from the initial point of infection to other systems on the ICS network and consume additional resources.

Malicious Insiders Abuse Supercomputer in Nuclear Facility

The second report came out of Russia, where several scientists working at a top-secret Russian nuclear warhead facility were arrested in early February for allegedly mining cryptocurrencies. According to reports, these trusted insiders tried to use one of Russia's most powerful supercomputers to mine Bitcoins, a process that requires huge computational and energy resources. This was detected only when the scientists attempted to connect the supercomputer to the internet, which raised an alert at the nuclear center's security department. The security policy prohibited such an internet connection in order to eliminate the risk of intrusion.

Security implications for industrial organizations

1. Industrial control networks are reachable

Ten years ago, the air-gap sounded like a fool-proof strategy: create a physical gap between the ICS network and the rest of the world so there is no way for cyber threats to infiltrate. 

This strategy is no longer relevant. Industrial organizations have adopted new connected technologies, like IIoT (industrial internet of things) devices, to enable predictive maintenance and increase manufacturing efficiency. These technologies are blurring the lines between IT and OT networks, while increasing the exposure of ICS networks to cyberattacks.

Moreover, even if you manage to completely isolate the ICS network, there are still threats from within. These types of threats range from malicious insiders, as in the Russian incident, to a careless employee connecting a malware-infected mobile device or USB drive to a Windows machine.

The “general purpose” (i.e., not ICS-specific) malware discovered in the water utility's network demonstrates, yet again, that ICS networks are easily reachable. Gone are the days when a state-sponsored campaign (e.g., Stuxnet) is needed to compromise industrial networks.

2. Industrial control networks are not governed well enough

Given the risks involved, one would imagine that industrial control networks would be well-governed and "sterile" of unwanted software. On the ground, however, we often encounter situations in which this assumption couldn't be further from the truth.

To improve network hygiene, industrial organizations should conduct periodic vulnerability assessments, as well as patching and inventories of software installed on Windows machines.

3. Due to lack of protective measures, industrial networks are at imminent risk

While patching Windows-based machines is a standard best practice in the IT world, that isn't always the case when it comes to ICS. Operator workstations may be involved in continuous processes that can't be interrupted. Take for example oil and gas companies – it's not easy to shut down a pipeline or turbine in order to patch supporting systems. System stability and safety are also major concerns. 

The inherent security risk is that unpatched operator and engineering workstations running on Windows platforms will be exploited by a malware attack. Compromised workstations could then be used to send malicious instructions to controllers, disrupt production operations, and limit visibility into the processing.

That said, when it comes to compromising an ICS network, hacking the Windows machines is actually more difficult than gaining access to the controllers, which are not typically protected with authentication, encryption, authorization or other standard security mechanisms. For that reason, we believe that ICS-specific threats, such as Triton malware, will become more common going forward.

The need for better visibility and control

In order to protect their ICS networks against sophisticated cyberattacks, and to ensure that unwanted software doesn't find its way into Windows machines, critical infrastructure and industrial organizations require better visibility into their asset inventory.

To build an effective security strategy, you need to know the manufacturers, models, firmware versions, latest patches and current configuration for each and every asset in your network. This includes the automation controllers – programmable logic controllers (PLCs), remote terminal units (RTUs), or distributed control system (DCS) controllers – responsible for managing the physical processes, as well as Windows servers used by operators. A comprehensive asset inventory based on automated asset discovery is crucial for identifying the vulnerabilities that might put an asset at risk and installing the required security updates.

By combining automated asset discovery with proactive detection and analytics tools, industrial organizations can protect their ICS networks from external and internal cyber threats.

To learn more about strategies for improving visibility across your ICS environment, see our Tenable.ot whitepaper, “Industrial Cybersecurity in the New Era of Distrust.”

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.