Cybersecurity researchers believe computer controls at industrial facilities, including in the oil business, get infected by non-targeted malware at least 3,000 times a year.
Dragos Security, a cybersecurity firm in San Antonio, arrived at what it believes is a conservative estimate of worldwide industrial cyberattacks after studying roughly 30,000 samples of infected control system files submitted over the past decade and a half to a publicly available database called VirusTotal, a web service owned by Google.
The findings, released this week, show malware that isn’t even tailored to industrial controls finds its way into critical technology far more often than the public assumes. Some of the malware strains the researchers found can spread through these control systems with ease, and some were designed many years ago, a sign facility operators worldwide haven’t patched up security holes.
“If you have really bad cyber hygiene and you’re not paying attention to basic things, you’re more likely to get impacted by a virus that was written nine years ago,” said Ben Miller, director of the Dragos Threat Operations Center.
For example, Miller found nearly 3,000 instances of industrial files compromised by Sinowal, a Trojan first discovered in 2006. Even more common, though, were strains of malware that spread from computer to computer, created at least five years ago.
It’s not clear how many of these industrial facilities were tied to the energy industry, because the VirusTotal data only provided the country of origin of the independently uploaded files. But it’s yet another grim revelation for oil companies that rely on automated computer controls to run refineries, pipelines and offshore platforms.
Miller said these breaches could easily begin during the flurry of equipment upgrades that happen when power plants, refineries and other energy facilities are taken offline for repairs. Crews of engineers, equipment contractors and information technology specialists flowing in and out of the facilities could, for example, fail to follow security protocols and accidentally plug in infected USB drives into facility systems. And they might only discover they’ve infected operational computers after they use the same thumb drives in corporate computers outfitted with antivirus alert systems.
“Plant managers might have to stop (production) and clean it up because it’s a safety issue,” Miller said. “It could absolutely disrupt how you’re using the system.”