Posted by Derek Hutzler / January 16, 2015
Air gapped networks are purposely disconnected from the outside internet to prevent malicious actors from accessing critical data. The computers that control critical infrastructures such as power grids, nuclear reactors, and SCADA systems are cut off from the internet for security reasons. The most famous attack on an air gapped network is of course Stuxnet, a highly sophisticated piece of malware that was delivered via USB. It is suspected that the U.S. and Israel teamed up to create the worm to sabotage Iran’s nuclear centrifuges.
Offline machines are also used by malware researchers, financial institutions, and government organizations. One of the flaws in offline machines is that they still need software updates. Update packages made to the machines are delivered via USB, CD, and sometimes even floppy disks. Since attackers cannot gain access to the air gapped networks via the internet, they must rely on another attack vehicle – the update packages.
An air gapped system controlling a nuclear reactor in South Korea, was recently infected. The suspected culprit was an unauthorized USB that was plugged into the control system. Korea Hydro & Nuclear Power Co had an earlier outbreak of malware brought in by email, which prompted a security review. Luckily they were able to locate the malware and are now working to remove it.
Trend Micro researcher Kyle Wilhoit has found over a dozen different types of banking malware have on ICS/SCADA systems. Wilhoit states, "It’s an interesting trend -- traditional banking Trojans, not targeted attacks.” The malware is making its way on to the machines by disguising itself as a software update.
This brings us to OPSWAT’s solution, Metadefender. Metadefender has been used heavily by the U.S. nuclear industry and has been further developed based on their feedback. It is common to see a Metadefender scanning kiosk outside of secure areas and nuclear reactors. Software updates needed for nuclear plants can be scanned by Metadefender and Metascan®. Based on feedback from nuclear facilities, we have added a tool that can copy all clean files from an incoming USB onto an organization-supplied USB to prevent firmware hacks.
 Michael B Kelley, “The Stuxnet Attack On Iran’s Nuclear Plant Was ‘Far More Dangerous’ Than Previously Thought,” [Online]. Available: http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11.
 Russell Brandom, “South Korean nuclear plant finds malware connected to control systems,” [Online]. Available: http://www.theverge.com/2014/12/30/7467809/south-korean-nuclear-plant-finds-malware-connected-to-control-systems.
 Kelly Jackson Higgins, “Banking Trojans Disguised As ICS/SCADA Software Infecting Plants,” [Online]. Available: http://www.darkreading.com/attacks-breaches/banking-trojans-disguised-as-ics-scada-software-infecting-plants/d/d-id/1318542