SAN FRANCISCO--The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of hospitals recently, a security expert said on Thursday in a panel at the RSA security conference.
"It was not widespread, but it raises the awareness of what we would do if there were millions" of computers infected at hospitals or in critical infrastructure locations, Marcus Sachs told ZDNet Asia's sister site CNET News.com after the session. Sachs is the director of the SANS Internet Storm Center and a former White House cybersecurity official.
It is unclear how the devices, which control things like heart monitors and MRI machines, and the PCs got infected, he said. The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said.
Conficker spreads via networked computers as well as through removable storage devices and a hole in Windows that Microsoft patched in October, but these machines were too old to be patched, according to Sachs.
The situation illustrates the dangers of connecting critical networks, like in hospitals and in SCADA (Supervisory Control and Data Acquisition) systems used by utilities and other critical infrastructure providers, with networks connected to the Internet, he said during the panel "Securing Critical Infrastructures: Infrastructure Exposed."
"We haven't found any nukes yet that are infected with Conficker or that are trying things like Twitter," he quipped. But "that is within the probable as we take shortcuts," he said.
"We're seeing a huge uptick in probing for SCADA systems," said Jerry Dixon, director of analysis and vice president of government relations at research firm Team Cymru. For years, the SCADA systems were separated from the public networks, but that's not the case anymore, he said.
Utilities move to remote access and other Internet-based technologies so workers can have access to the control systems when they are not at the plant and to cut costs, Sachs said. Workers have been known to access control systems using BlackBerrys for no reason other than that they can, he said.
Asked after the panel if cyberattacks had led to any utility outages, Michael Assante, chief security officer of the North American Electrical Reliability Corporation (NERC), said "none in North America."
"There is no evidence of computer compromise that led to a disruption of service," he said. "We're not immune to it; it's not hypothetical."
Government officials maintained that an electricity blackout in 2003 in the northeastern United States was not caused by the Blaster Internet worm that was circulating at the time as was suspected, but officials also were never able to reveal why it happened.
This article was first published as a blog post on CNET News.
Play video
Article is not accurate
The cause of the NE blackout was determined and discussed ad nauseam.
The alarming subsystem failed in a unix-based scada system used by the utility company in Akron, OH (FirstEnergy). The problem persisted for over an hour. During this time, FirstEnergy’s system operators where unaware of the condition of their electric system and allowed transmission lines to overheat and sag into trees (due in part to FirstEnergy’s poor tree trimming practices). The instability of the electric system in Ohio caused overloads in adjacent services areas, which caused automatic protection systems on undamaged equipment to isolate itself from the grid. The cascading events moved north into Canada, around in the great lakes, and back into the northeast US, with the majority of the blackout occurring in ~9 seconds.
Specific software bugs were identified in the GE XA/21 scada system (used by FirstEnergy) which caused the initial failure of the alarm/event subsystem.
The cause of the blackout is known and was not related to an Internet worm. Please stop perpetuating this falsehood.
Posted by anonymous on Friday, April 24 2009 09:09 PM