Luck prevents malware fatally damaging critical infrastructure - this time!
Luck prevents malware fatally damaging critical infrastructure - this time!
Hackers have, on a few occasions, gained access and negatively affected industrial control systems. However, at the end of 2017, a new attack vector emerged that demonstrated the ingenuity of hackers and escalated the threat of virtual intrusions to a critical level. 

Using malicious software dubbed ‘Triton' the attackers were able to reprogramme equipment vital to the safety of the petrochemical site located in the Middle East. The virtual intrusion could have had serious consequences, such as endangering the lives of workers, disrupting production, and causing negative financial impacts. Fortunately, on this occasion, no one was hurt, and a safe process shutdown was executed. 

Triton-esque malware represents the next generation of cyber-threats, and it's important for organisations to take protective measures against them. Waiting to see what happens next isn't a prudent option.

What we know

The attack began when the threat actor managed to get access to the engineering workstation for the petrochemical facility's Triconex Safety Instrumented System (SIS). This allowed the attacker to burrow deeper into the infrastructure and deploy the Triton attack framework to reprogram the SIS controllers. Triton is designed to upload new ladder logic to Schneider Electric Triconex 3008 Processor modules with the use of specially-crafted search and upload routine, meaning a deep understanding of the proprietary Tri-Station protocol. 

The result was that the SIS controllers entered a failed state which automatically shut down the industrial process and alerted the operator, who initiated an investigation. This was most likely not the attacker's intent and most security experts agree that it was lucky that there was no physical damage and that a major catastrophe was prevented.

What this attack does illustrate is a step-up in sophisticated industrial control system cyber-attacks.  It is the first known malware targeting SIS, and only the fifth malware known to specifically target industrial networks – previous examples being Stuxnet, Havex / Dragonfly, Blackenergy2/3, and Industroyer / CrashOverride.

Triton is further evidence of a heightened focus from attackers against critical infrastructure.  Although the attack failed this time, each infiltration improves the attackers skills and toolsets.

This is a major concern given that the type of SIS attacked is widely used and is commissioned in a consistent way across many industries.

What we need to do

Doing nothing is not an option, nor is it what is happening within these environments - particularly with the NIS Directive being implemented in the UK in a few months. That said, it's not without its challenges as much of the Operational Technology environment includes legacy infrastructure designed long before the hybrid and interconnected networks of today were even dreamed possible.

To defend against attacks, such as Triton, the following defensive actions should be implemented:

Segregate the safety system network from the process control and information system networks. For example, ISA-99 / IEC 62443 uses the concepts of zones and conduits, where conduits control the flow of data between zones.

Do not connect dual-home engineering workstations to any other process control or information system network.

Use hardware features that provide physical controls. In this case, the Triconex physical key was left in Program mode. Instead, it should be locked and a change management process with alert should be in place for changes to the key position.

Limit data flow from the SIS to applications to unidirectional outbound traffic only.

Limit data flows from servers or workstations to the SIS using application whitelisting and access control measures.

Monitor industrial control system traffic for unexpected communication flows and other anomalous activity and investigate promptly.

A further recommendation is to implement passive industrial control system network monitoring and anomaly detection. Such technology includes hybrid threat detection, which uses both behaviour-based and rules-based anomaly detection to rapidly identify threats. For example, in the case of TRITON, this combination would quickly identify any changes in standard communication behaviour plus the presence of malware signatures. These indicators would be correlated into a consolidated incident, helping operators quickly understand and take action on an issue. 

Of course, at the time of the initial attack, malware signatures did not exist.  Once they did however, they could be used by other organisations. For example, custom assertions, which are like rules, can be set-up to regularly check for certain conditions, such as “do Triton signatures exist in my network traffic?” This approach facilitates threat hunting, monitoring and remediation that is unique to the installation.

Fortunately, on this occasion, no one was hurt and the Triconex SIS executed a safe process shutdown. It is guaranteed, however, that the attackers and other nefarious parties will have gleaned something from this incident – and they may even be planning their next move. 

Securing the complicated myriad of ‘what ifs' might seem an insurmountable challenge, but with the implementation of cyber-security best practices and new technology solutions, it is possible. As part of an industrial control system cyber-security solution, passive network monitoring with hybrid threat detection helps organisations stay ahead of new and evolving threats. These technologies need to be implemented now before the next cyber-attack, state sponsored or otherwise, hits its mark and the general public pays the price.

Contributed by Andrea Carcano, co-founder and chief product officer, Nozomi Networks

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.