Last September, I did a guest blog post titled “Online-Malware-Support-Shows-Infected-ICS-Computers”, where I searched for HiJackThis posts containing automation software. Basically, there are forums available to users that had been infected with viruses. These users can run a set of programs, including HijackThis, DDS, OTS, and others, to pull information from the system. This information is analyzed by the forum community, and recommendations given to those who are infected. Last year, I found data from many control systems being put on these forums because the user could not fix their computer.
With all the activity regarding Shodan and ICS recently, I figured there should be another showing of just how many ICS computer interact with the Internet, and are even potentially infected with Malware. Remember, the main vector now for infecting normal user systems is via web browser exploits, XSS, email phishing and other less direct methods. I went for an Electric Power focus this year, locking on to several very specific programs that interact with Electric Power infrastructure. The programs I selected are relay configuration programs, used in Electric Infrastructure to configure the devices that open and close breakers on Transmission and Distribution lines. These programs aren’t like SCADA HMIs and OPC servers, their only purpose is to provide a user interface that allows management and reconfiguration of a digital protection relay.