The US Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT) has just issued an alert about malware that is targeting human-machine interfaces (HMIs) of industrial control systems. https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A
It is based on a varient BlackEnergy malware toolkit malware that infects HMIs on any supervisory control and data acquisition system (SCADA) that has a direct connection to the Internet. It is a continuation of a malware campaign targeting numerous companies that has been ongoing since 2012
In applications where an ability to remotely monitor or operate the system is required, the SCADA/HMI is often connected to the public Internet as the link to the remote operator. It is such installations that the BlackEnergy malware has been attacking the alert warns.
So far, the report lists three commercial SCADA/HMI software products are listed in ICS-ALERT-14-281-01A, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC for SIMATIC.
The ICS-CERT analysis indicates the attack involves making an HMI server run a malicious screen file hosted on an attacker-controlled server, which then installs the malware. According to the alert “at this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes.”
Howver, ICS-CERT warns that this kind of malware usually searches for removable media and network-connected file shares that can provide a pathway into the target company's computer networks.