michelangelus - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Irongate malware: What are the risks to industrial control systems?

The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS and SCADA systems.

FireEye recently discovered a new type of malware called Irongate, which has exhibited some of the same characteristics as Stuxnet in targeted attacks on industrial control systems. What are the Stuxnet traits exhibited by the Irongate malware, and what are the risks to enterprises?

All pieces of malware have some similarities with Stuxnet. The Stuxnet malware was designed and targeted at very specific supervisory control and data acquisition (SCADA) systems in Iran for very specific reasons. It was a sophisticated piece of malware when it came out, but had much of the same functionality as other malware, including an initial infection method and dropper. FireEye discovered the Irongate malware while searching VirusTotal, a free malware scanner, for files that use PyInstaller. The Irongate developers have made advancements with their malware's anti-analysis functionality, compared to the Stuxnet malware which just checks for antivirus software. Since the Irongate malware was identified via secondary data analysis on VirusTotal data rather than from investigating compromised systems, it is difficult to establish the full extent of the malware functionality and attack. This is, however, a good use of a community data repository.

Like the Stuxnet malware, Irongate attacks ICSs, looks for a specific process to infect and replaces dynamic link libraries to manipulate the process. Enterprises with ICS or SCADA systems need to continue to maintain the security of their environments, and implement new security controls after risk assessments are performed. As FireEye stated, there is minimal risk to enterprises as Irongate appears to be proof-of-concept malware that doesn't perform malicious actions. Enterprises with Siemens control systems should contact Siemens to find out if their systems are vulnerable to the Irongate malware, because neither FireEye nor Siemens have publicly listed what systems were vulnerable.

FireEye has two recommendations that are common in more mature software development environments -- using code signing for software in use and to include sanity checking in IO data. FireEye released indicators of compromise that an enterprise could check on its ICS or SCADA systems to see if it had been compromised, but it might be more important to just ensure that your enterprise has the capability to check its ICS or SCADA systems for these indicators, rather than performing a search for the Irongate malware.

Next Steps

Find out the possible impact of malware-infected ICS and SCADA systems

Read about BlackEnergy malware attacks on electric companies' ICS software

Learn about the need to increase defensive cybersecurity

This was last published in October 2016

Dig Deeper on Risk assessments, metrics and frameworks