The continuing evolution of utility cybersecurity

DistTrack malware presents a new wrinkle

Kate Rowland | Aug 23, 2012

Share/Save  

Earlier this month, I had a long discussion with EnergySec's Stacy Bresler for the September/October issue of Intelligent Utility magazine about the value of information sharing within the industry around cyber security standards and situations.

EnergySec is a decade-old, organically grown community of information security, physical security, audit, disaster recovery and business continuity professionals from energy industry utilities. Bresler is vice president of outreach and operations for EnergySec, as well as the co-principal investigator for the National Electric Sector Cybersecurity Organization (NESCO).

NESCO, which evolved from EnergySec, was built with partial funding from the U.S. Department of Energy in 2010, meant to be a public-private partnership focused on security-related information sharing in the electric sector, bringing together utilities, federal agencies, regulators, researchers and academics.

So when I began hearing rumblings of new and potentially devastating malware that is apparently targeting the energy sector, I reached out to Bresler for a primer on what it might mean for our industry.

A bit of background:

Late last week, the Sourcefire Vulnerability Research Team (VRT) raised an alert, also reported on by SecurityWeek, about the discovery of what VRT described as "at least one ongoing incident in the energy vertical involving a threat named 'DistTrack'." VRT blogger Matt Olney went on to say, "This is a new, destructive threat that has not previously been seen in the wild ... Preliminary indications are that this malware is currently targeted in nature as no widespread activity has been detected."

Olney describes the threat in detail, as does SecurityWeek. McAfee and Symantec have also posted alerts, giving details on how the malware attacks, and what to look for.

Yesterday morning, the SANS Institute, in its latest issue of its e-mail newsletter @RISK: The Consensus Security Vulnerability Alert, summed up the threat succinctly. It said:

"McAfee discovered last week an extremely destructive new piece of malware that they dubbed DistTrack. Within four hours of infection, the malware has not only overwritten critical system files with a portion of a JPEG image, it overwrites the Master Boot Record with zeros and forces a reboot, effectively killing the machine and requiring users to use forensic tools to recover data."

In addition, Sourcefire VRT confirmed the malware is, at the moment, targeted towards energy companies specifically.

So, I asked Stacy Bresler and NESCO's Tactical Analysis Team (TAC) if the new malware attack really heralds the beginning of something bigger targeting energy companies, and what energy sector security analysts and operations teams should be watching out for.

Here's NESCO TAC's take on DistTrack so far:

"We're aware of the malware and will continue to monitor the situation," they told me by e-mail. "There are allegations that it has infected at least one energy company, possibly two, but it's not clear if they were specific targets or infected by random chance. The destructive nature of this malware isn't consistent with other targeted instances and, as of now, we have no indication that the situation warrants heightened measures.

"This may be a case of malware being highlighted given the (appropriate, in our opinion) attention on critical infrastructure security."

And it's true, critical infrastructure security is clearly an ever-increasing focus, both with the U.S. government and with North America's energy and utilities industry. It's nearly impossible now, within our industry, to say "NERC CIP" and have someone in the room who doesn't understand what that means.

But NERC CIP guidelines compliance is only part of the risk management practices electric utilities undergo in order to keep the North American electric grid from harm, as Bresler stressed when we first talked. Being "compliant" is different than being "protected" and both are important. Compliance, as proven by an audit, is all about documentation that supports the requirements.

Risk management -- and being always watchful, always aware, so that the latest malware, such as DistTrack, doesn't affect grid operations -- is the bread and butter of grid reliability.

Kate Rowland
Editor-in-chief, Intelligent Utility magazine
Energy Central
krowland@energycentral.com

Related Topics