We were thrilled to add a session by Rob Caldwell / FireEye to next week’s S4xEurope agenda when we learned in April about the ICS malware they have named IRONGATE. This is the second biggest ICSsec story of the year to date, albeit a distant second from the Ukrainian Power Utility hack.

FireEye published some technical info on IRONGATE today, and I’m really looking forward to the technical deep dive at S4xEurope.

Three reasons why this is an important story, and none of them are this exact malware’s ability to damage real world ICS.

  1. This is the first post-Stuxnet ICS example of a Stuxnet-like man-in-the-middle attack with a record / replay feature so operators do not see what is truly going on. Many predicted that attackers would learn and mimic Stuxnet techniques. They have.
  2. Fingerprinting so it only affects a specific ICS, again like Stuxnet.
  3. IronGate arrived in VirusTotal in 2014. Yes 2014. And it had clear SCADA markers, such as SCADA.exe. How much other malware attacking an ICS is sitting in repositories around the world, or even worse undetected on operational ICS.

The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS. We need significant improvement in detection capabilities for ICS integrity attacks.

There will be a lot of speculation on who created this and for what purpose, and it will be just that … speculation. There is no evidence that this is a warning of a significant attack, or that it is not. It could be as innocent as a researcher seeing if proof of concept Stuxnet-cousin malware working in his lab would be detected in VirusTotal. Or it could be a preparatory step in related malware development by a more offensive minded organization.

Step back from that speculation, and think of the implications of the three points highlighted in this article.