Transparency, Collaboration Required to Fight Cyber Threats

Feb. 23, 2018
Schneider Electric says the Triton malware attack proves that malicious actors are executing sophisticated multi-layered strikes on control systems. It calls for a new cybersecurity culture.

While security experts continue to deconstruct what happened during the recent Triton malware (also known as Trisis) attack that targeted a Schneider Electric safety controller at a process plant in the Middle East, the energy and automation supplier said the incident should serve as a call-to-action for manufacturing and critical infrastructure facilities.

In a press briefing at the ARC Industry Forum in Orlando, Fla., last week, Schneider executives focused in on the facts of the case, emphasizing that, while the attack did target a Triconex Safety Instrumented System (SIS)—specifically the model 3008 versions 10.0-10.4—exploiting a software vulnerability in the older controller, the system did its job by shutting down operations when an anomaly was detected, and took operations to a safe state.

While many of the facts related to the incident have already been made public, Schneider officials continue to emphasize that the security breach was not unique to the Triconex SIS.

“The perpetrator was logged on and playing with code,” said Gary Williams, senior director of technology and cybersecurity at Schneider Electric. This means the attacker gained access remotely. That, coupled with human error in which a physical key switch on the Triconex system was left in program mode while the system was in operation, was what enabled access to the system. “This is not a finger pointing exercise. It doesn’t matter about the equipment or the vendor. If we go that route, we won’t benefit. Rather, we want this to be an industry wake up call to address cybersecurity as a whole.”

The evidence gathered from Homeland Security, the FBI and other agencies indicates it was a multi-layered attack that was enabled through a variety of security lapses, Williams said. “The fact that a Triconex system was on site was coincidental. Every plant needs to adhere to rigorous procedures and checks,” he said.

To that end, it’s important to follow the instructions in the vendor documentation, as well as the ISA 99 and IEC 62443 security standards. In addition, companies must not only strengthen their cybersecurity technology efforts, but they also need to develop a stronger security culture.

“We are facing a new reality in our industry. There’s a new geopolitical climate. And there’s malicious actors with unlimited resources working to carry out cyberattacks through instruments and control systems,” said Peter Martin, vice president of business innovation and marketing at Schneider Electric. “Vendors, manufactures and government agencies have to come together.”

We are seeing the first signs of that with the announcement last week of the Charter of Trust, a joint effort between Siemens, Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom.

While Schneider Electric is not part of this particular effort, the company plans to organize another alliance of partners to collaborate on the steps required to ensure the world’s most critical operations are protected.

“We believe the charter is a good first step,” a Schneider Electric spokesperson said. “The co-signers were heavily European, whereas the Schneider Electric call-to-action – like the threat – is global in scope. Overall, the intent is to drive better cross-industry collaboration, while establishing thought and industry leadership when it comes to helping end users combat grave cyber threats coming through new attack vectors.”

Most importantly, Schneider Electric is urging companies to be open and transparent when there is an issue, so that everyone can work collaboratively to solve the problem and protect others. Williams noted that Schneider was responsive when the breach was reported and was at the customer site within four hours. The company has also been proactive about solving the issue—whether it is on a Triconex system or another company’s controller. Covering up an attempted attack is a disservice to the industry as a whole.

“The biggest fear is that something significant will happen,” Martin said. “The Triconex system stopped [the malware] from reaching its final actualization, so the industry says there’s no problem. There is a problem.”

About the Author

Stephanie Neil | Editor-in-Chief, OEM Magazine

Stephanie Neil has been reporting on business and technology for over 25 years and was named Editor-in-Chief of OEM magazine in 2018. She began her journalism career as a beat reporter for eWeek, a technology newspaper, later joining Managing Automation, a monthly B2B manufacturing magazine, as senior editor. During that time, Neil was also a correspondent for The Boston Globe, covering local news. She joined PMMI Media Group in 2015 as a senior editor for Automation World and continues to write for both AW and OEM, covering manufacturing news, technology trends, and workforce issues.

Companies in this Article

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.

Micro Motion 4700 Coriolis Configurable Inputs and Outputs Transmitter

The Micro Motion 4700 Coriolis Transmitter offers a compact C1D1 (Zone 1) housing. Bluetooth and Smart Meter Verification are available.