If a power plant is vulnerable to malware from 2010, it’s vulnerable to a targeted attack that causes real-world damage.
When you think of stuff you don't want to get infected by malware, a nuclear power plant is probably at the top of your list.
Yet, this week, a nuclear power plant in Germany reported having some of its computer systems infected by two well-known ancient computer viruses called W32.Ramnit and Conficker, which were originally first discovered in the 2010 and 2008, respectively. The infected computers controlled "data visualization software associated with equipment for moving nuclear fuel rods," and were isolated from the internet, according to Reuters.
The two viruses did infect the computers, but couldn't really do much damage because the viruses couldn't phone in to their creators over the internet, and the computers didn't really control any critical processes. In other words, this wasn't worth pressing the big ol' panic button. But, while we shouldn't freak out about this incident—stuff like this happens all the time—there are some reasons to be concerned about critical infrastructure getting ancient viruses.
"If a system or network is vulnerable to legacy malware, then it is certainly vulnerable to targeted attacks," Chris Sistrunk, an industrial control systems consultant at security firm Mandiant, told Motherboard.
"Critical infrastructure still gets hit by these things because ancient viruses find a loving and wonderful home in ancient and horribly unpatched and unmonitored systems."
The infection at the nuclear power plant 75 miles from Munich, as another expert in infrastructure hacking put it, was just "a coincidence," and not a targeted attack. In this case, it appears the viruses were transmitted by infected USB drives. But, if the systems within a nuclear power plant or another critical infrastructure are so weak that random viruses can hit them, then sophisticated attackers who could get in and then do some damage can hit them too, just like in the case of the recent Ukraine power plant blackout.
That's because these systems, according to Michael Toecker, a control systems engineer and consultant, are like "a patient with a compromised immune system."
"Critical infrastructure still gets hit by these things because ancient viruses find a loving and wonderful home in ancient and horribly unpatched and unmonitored systems," Toecker told Motherboard.
The reasons these patients are vulnerable to viruses like W32.Ramnit and Conficker is because they run legacy systems that haven't been patched or updated for a decade. And that's fine as long as the operators of the plant keep them isolated and assume they are insecure, hopefully keeping the more critical parts of the network away safer.
"If you have a patient with a compromised immune system, doctors don't let them interact with visitors," Toecker added. "The companies who operate critical infrastructure need to recognize when they have vulnerable systems, and make good hygiene a requirement."