18 December 2017

TRITON attack. Comment by Kaspersky Lab ICS CERT expert

FireEye has published data on a new attack that has resulted in the failure of an enterprise’s safety instrumented system (SIS). Although the attack did not do any serious harm, the incident demonstrates that cybercriminals have the ability to cause physical damage and disrupt critical industrial processes. FireEye researchers do not disclose information on the enterprise targeted by the malware.

According to the FireEye report, the attackers used a new TRITON malware framework, specifically designed for attacking Triconex Safety Instrumented System (SIS) controllers produced by Schneider Electric. Such systems are commonly used in the oil-and-gas industry and nuclear power to monitor potentially dangerous conditions and prevent accidents.

The attacker gained remote access to a Triconex SIS engineering workstation running Microsoft Windows and installed malware designed to reprogram SIS controllers, disguised as a legitimate log reviewing application. FireEye experts later dubbed the malware Triton. In the process of being reprogrammed, some controllers entered a failed safe state (i.e. an emergency mode designed to prevent physical damage to the hardware), automatically shutting down the industrial process. According to FireEye experts, shutting down the industrial process was not part of the attacker’s initial plans and was accidental.

Schneider Electric has stated that TRITON can scan industrial networks to perform reconnaissance at the attack planning stage. At the same time, the malware requires Triconex controllers to be in “PROGRAM” mode in order to deliver its payload. Therefore, the vendor recommends that the mode be disabled and used only for setting up the controllers.

Sources: FireEye, Schneider Electric

Comment by an expert

Evgeny Goncharov, Head of Critical Infrastructure Defense Department at Kaspersky Lab:

Industrial automation system engineers and operators very often confuse functional safety and cybersecurity. They rely on safety instrumented systems, believing that these systems can protect against cyberattacks. However, safety instrumented systems themselves can be selected as targets by threat actors and fall prey to cyberattacks. Strictly speaking, we have already seen this kind of scenario played out. Examples include attacks on Ukraine’s power systems in December 2015 and 2016, which protection relays (indirectly in the former case and directly in the latter).

Safety instrumented systems can be even more attractive targets for attackers than industrial control systems. This is because the operating logic of safety instrumented systems is usually less complicated and, most importantly, more universal than that of control systems. It is defined, to a great extent, by physical limitations of the industrial hardware and is less dependent on specific implementations of industrial processes at specific enterprises. These systems are standardized and typified, making it easier for adversaries to design all-purpose attack tools.

This incident demonstrates an important property of attacks on industrial enterprises: such attacks may not show signs of malicious computer activity, because the malicious payload designed by their developers targets systems that are different from those traditionally protected against cyberattacks – that is, field devices and mechanical assets, rather than workstations and servers.

To provide protection from this type of attacks Kaspersky Lab ICS CERT experts recommend using cyber security technologies that monitor and control system integrity, including network connections and application startup, as well as deep analysis of network communications.