Transparency, Collaboration Required to Fight Cyber Threats

Schneider Electric says the Triton malware attack proves that malicious actors are executing sophisticated multi-layered strikes on control systems. It calls for a new cybersecurity culture.

Transparency, Collaboration Required to Fight Cyber Threats
Transparency, Collaboration Required to Fight Cyber Threats

While security experts continue to deconstruct what happened during the recent Triton malware (also known as Trisis) attack that targeted a Schneider Electric safety controller at a process plant in the Middle East, the energy and automation supplier said the incident should serve as a call-to-action for manufacturing and critical infrastructure facilities.

In a press briefing at the ARC Industry Forum in Orlando, Fla., last week, Schneider executives focused in on the facts of the case, emphasizing that, while the attack did target a Triconex Safety Instrumented System (SIS)—specifically the model 3008 versions 10.0-10.4—exploiting a software vulnerability in the older controller, the system did its job by shutting down operations when an anomaly was detected, and took operations to a safe state.

While many of the facts related to the incident have already been made public, Schneider officials continue to emphasize that the security breach was not unique to the Triconex SIS.

“The perpetrator was logged on and playing with code,” said Gary Williams, senior director of technology and cybersecurity at Schneider Electric. This means the attacker gained access remotely. That, coupled with human error in which a physical key switch on the Triconex system was left in program mode while the system was in operation, was what enabled access to the system. “This is not a finger pointing exercise. It doesn’t matter about the equipment or the vendor. If we go that route, we won’t benefit. Rather, we want this to be an industry wake up call to address cybersecurity as a whole.”

The evidence gathered from Homeland Security, the FBI and other agencies indicates it was a multi-layered attack that was enabled through a variety of security lapses, Williams said. “The fact that a Triconex system was on site was coincidental. Every plant needs to adhere to rigorous procedures and checks,” he said.

To that end, it’s important to follow the instructions in the vendor documentation, as well as the ISA 99 and IEC 62443 security standards. In addition, companies must not only strengthen their cybersecurity technology efforts, but they also need to develop a stronger security culture.

“We are facing a new reality in our industry. There’s a new geopolitical climate. And there’s malicious actors with unlimited resources working to carry out cyberattacks through instruments and control systems,” said Peter Martin, vice president of business innovation and marketing at Schneider Electric. “Vendors, manufactures and government agencies have to come together.”

We are seeing the first signs of that with the announcement last week of the Charter of Trust, a joint effort between Siemens, Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom.

While Schneider Electric is not part of this particular effort, the company plans to organize another alliance of partners to collaborate on the steps required to ensure the world’s most critical operations are protected.

“We believe the charter is a good first step,” a Schneider Electric spokesperson said. “The co-signers were heavily European, whereas the Schneider Electric call-to-action – like the threat – is global in scope. Overall, the intent is to drive better cross-industry collaboration, while establishing thought and industry leadership when it comes to helping end users combat grave cyber threats coming through new attack vectors.”

Most importantly, Schneider Electric is urging companies to be open and transparent when there is an issue, so that everyone can work collaboratively to solve the problem and protect others. Williams noted that Schneider was responsive when the breach was reported and was at the customer site within four hours. The company has also been proactive about solving the issue—whether it is on a Triconex system or another company’s controller. Covering up an attempted attack is a disservice to the industry as a whole.

“The biggest fear is that something significant will happen,” Martin said. “The Triconex system stopped [the malware] from reaching its final actualization, so the industry says there’s no problem. There is a problem.”

Companies in this article
More in Control