Thursday, October 08, 2009

'Sinister' Integral Energy Virus Outbreak a Threat to Power Grid by Asher Moses

A virus outbreak is wreaking havoc with Integral Energy's computer network, forcing it to rebuild all 1000 of its desktop computers before the "particularly sinister" bug spreads to the machines controlling the power grid.

A spokesman for Integral Energy, a major energy supplier, confirmed that the company had called in external information security experts to "rebuild all desktop computers to contain and remove the virus".

The malware had not affected power supplies to customers or business data and was "contained within Integral Energy's information technology network", the spokesman said.

But Chris Gatford, a security consultant at Hacklabs who has conducted penetration testing on critical infrastructure, said there was often "ineffective segregation" or "more typically none at all" between the IT network and the network that monitors and controls the infrastructure.

He said the two networks often needed to be connected in some way in order to share data such as usage information that is used in the billing process or quality of service measuring.

"The risk of having a virus in this type of environment is it might affect the operation of the power grid if the virus was to infiltrate the process control network," said Gatford.

"I think they're to be commended for this extreme reaction when dealing with something that could potentially affect the supply of energy."

Integral Energy said the virus was the W32.Virut.CF strain, which computer security company Symantec describes on its website as "a particularly sinister file infector" that spreads quickly and "is proving difficult to remove from infected networks".

Ironically, Integral Energy's computer networks are protected by a Symantec security solution, a source said. Symantec has had a virus signature for W32.Virut.CF since February.

"This might indicate the antivirus software was not updated in a timely matter on some machines or that the Symantec product was not able to detect it due to the obfuscation techniques used by the malware," Gatford said.

The Symantec website also said that the virus installs a back door, enabling hackers to issue commands to the infected machines via an internet relay chat (IRC) channel.

Gatford said this was a "big concern" when on sensitive networks but most corporate networks "would not allow for this traffic to be passed by the malware".

The Integral Energy spokesman said the company had put in place recovery plans to eliminate the virus from its business systems and maintain service levels to customers.

"As part of these plans, an investigation is under way into the cause of the infection and a strategy to minimise this risk in the future," he said.

No comments: