Industry is abuzz this week over reports issued by both FireEye and Dragos about a cybersecurity incident that took place at a critical infrastructure facility in the Middle East. As a publication focused on a broad spectrum of automation and control technologies throughout manufacturing, Automation World doesn’t really have the resources—or the inclination—to report about every network breach that hits the news. Nor do you have the time to fuss over each attack. But this one is worth your time to sit up and take note.
The malware referred to as Triton is significant to our community because it is not only part of an increasing focus of attacks on industrial control systems (ICSs), it is also the first to directly target a safety instrumented system (SIS). Specifically, the attack targeted the facility’s Triconex safety system from Schneider Electric, which responded appropriately by shutting down operations.
According to FireEye, the attacker gained remote access to an SIS engineering workstation in the facility, and deployed the Triton attack framework to reprogram the SIS controllers. Some of the SIS controllers entered a failed safe state, which automatically shut down the industrial process. The subsequent investigation, done by FireEye’s Mandiant team, found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check.
“We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage,” FireEye reports.
All signs point to this cyber attack being sponsored by a nation state. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor,” FireEye says.
The idea of increasing attacks from nation states was a key theme in a discussion I had earlier this year with Eddie Habibi, founder and CEO of PAS Global. Cyber attacks on the industrial sector are likely to be the next generation of stealth weapons, and the attacks we’ve been seeing recently are serious actors testing their weapons, he notes.
“Since 2010, attackers have been intent on learning how process control networks in critical infrastructure plants work, what systems are in place, where vulnerabilities exist, and how best to manipulate these systems to affect plant safety and performance,” Habibi says this week in response to the Triton malware. “Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents. They are targeting systems that in many cases produce electricity for our businesses, gasoline for our cars, or clean water for our homes.”
>>For more about cybersecurity in critical infrastructure, read our November cover story on the topic.
As such, this really isn’t about Schneider Electric’s Triconex system or any vulnerabilities it might have. It’s about the bad actors finding new attack vectors.
“There are some players in the market that believe that there’s no way anyone can impact the safety systems,” says Emily S. Miller, director of national security and critical infrastructure programs at Mocana. “But this is a verifiable incident where, based on initial reporting, 1) it’s clear that actors are wanting to learn about and impact safety systems; and 2) the safety systems were tripped due to malicious cyber actors working in the space.”
“It’s important to note that the purpose of this attack was to target the site/customer,” says Andy Kling, director of cybersecurity and architecture at Schneider Electric. “While Triton was designed to tamper with our products, it’s only because they’re the products that happened to be on site at this location. The malware leverages no inherent vulnerability in Schneider Electric’s product.”
Dragos, in its report on the incident, also notes that the malware (which it calls Trisis) does not leverage any inherent vulnerability in Schneider Electric products. In fact, because each Triconex SIS deployed in a variety of industries is unique and understanding process implications would require specific knowledge of the process, the malware would have to be modified for each specific victim, Dragos highlights. This would reduce the scalability of the malware.
“Although the attack is not highly scalable, the tradecraft displayed is now available as a blueprint to other adversaries looking to target SIS and represents an escalation in the type of attacks seen to date as it is specifically designed to target the safety function of the process,” the Dragos report points out.
“It is positive that if the APT [advanced persistent threat] actor is in this facility, they’re elsewhere, and they’re conducting the same kind of recon to learn how to cause a litany of ill effects, and keep their presence unknown,” Miller says.
The new attack capabilities are key in this incident, Habibi agrees. “The Triton (aka Trisis) malware attack underscores the capabilities that attackers have acquired and the fact that traditional security controls—namely air gapping and security by obscurity—are no longer sufficiently effective,” he says. “As Triton targets an integral part of the independent protection layers that keep plants safe, this should raise red flags with every critical infrastructure company in the world.”
A key message for critical infrastructure—or any type of manufacturing facility, for that matter—is to be ever vigilant in cyber defenses. Although some might want to give Schneider Electric a bad rap, the fact is that the same threat could be targeted at any safety system being used where bad actors want to attack. And the Triconex SIS did what it was supposed to do. “The system responded appropriately to the malware when it found a mis-compare, and knew something was wrong,” Kling says. “As such, the system went into a safe state and safely shut down the plant operations. If this shutdown had not occurred, the malware could have sat on the system for years.”
Staying cybersecure requires more than just a safe system; it requires following the guidelines that go along with that system.
“Triconex product development and deployment follows IEC 62443 standards. It was accessed by the hackers in this instance because the security features to prevent network and device memory access were not followed by the user,” Kling notes. “Triconex user documentation contains detailed security guidelines and recommendations on how to protect Triconex systems from attack. We strongly encourage all our customers to follow these recommendations regarding product use and security, as well as apply and follow industry-recognized cybersecurity best practices at all times to protect their installations.”
Kling reiterates the best practices noted in the security notification that Schneider Electric sent out to its customers this week:
- Ensure the cybersecurity features in Triconex solutions are always enabled.
- Never leave the front panel key position in the “program” mode when not actively configuring the controller, and always remove and secure the key.
- Ensure all TriStation terminals, safety controllers and the safety network are isolated from the rest of the plant communication channels.
- Also, review and assess your site’s cyber preparedness.
According to the Dragos report, the Triconex SIS controller at the attacked facility had the key switch in program mode during the time of the attack. Also, the SIS was connected to the operations network against best practices. “If the controller is placed in run mode (program changes not permitted), arbitrary changes in logic are not possible, substantially reducing the likelihood of manipulation,” Dragos comments.
This incident reinforces the need for basic and sophisticated controls for the ICS environment, notes a blog by Heather MacKenzie at Nozomi Networks. “On the one hand, it’s disappointing that some basic cybersecurity controls, such as network segmentation, and using physical defenses, such as the physical Triconex key, were not being used,” she says. “It’s also unfortunate that Schneider Electric is being singled out by this landmark incident, when the company is very proactive about ICS cybersecurity.”
FireEye and Nozomi Networks recommend specific practices to defend against such attacks:
- Segregate the safety system network from the process control and information system networks.
- Do not dual-home engineering workstations to any other process control or information system network.
- Use hardware features that provide physical controls. The physical key should be locked and alerts and a change management process should be in place for changes to the key position.
- Limit data flow from the SIS to applications to unidirectional outbound traffic only.
- Limit data flows from servers or workstations to the SIS using application whitelisting and access control measures.
- Monitor ICS traffic for unexpected communication flows and other anomalous activity and investigate promptly.
One of the first steps companies must take is to get better visibility into the cyber assets in their plants, 80 percent of which are outside traditional IT cybersecurity programs, according to PAS’s Habibi. “This is clearly unacceptable given the threat landscape we face today,” he says. “Once companies gain visibility, they can begin to implement fundamental security controls such as monitoring for unauthorized change or discovering hidden vulnerabilities. Otherwise, malware such as Triton will continue to find fertile ground for causing production disruptions and even environmental or physical harm.”