No doubt it could have been far worse - even catastrophic. An apparent misstep by the attackers behind the malware now known as TRITON/TRISIS that was discovered embedded in a Schneider Electric customer's safety system controller late last year fortunately failed, causing two of the safety instrumented systems (SISes) to shut down an industrial process in the plant. That outage led to the discovery of the customized backdoor malware in the Middle East industrial plant.
No smoking gun exploit to wreak physical damage in the plant was found, according to Schneider and other investigators who studied the attack. But TRITON/TRISIS exposed yet another breed of systems that attackers can now target to compromise industrial operations, the physical safety control systems – aka SISes - that provide automatic emergency shutdown of a plant process, such as an oil refinery process that exceeds safe temperatures.
"If you want to attack a chemical plant or a refinery that has safety instrumented systems, that's the best place to start: you can put in a time bomb," says Eddie Habibi, founder and CEO of ICS security vendor PAS Global. "A SIS is designed to prevent disasters. When it needs to, the SIS kicks in and brings down the plant safely and gradually. If it doesn't kick in [because it's been compromised], bad things can happen."
TRITON/TRISIS joins the annals of game-changer industrial malware attacks like Stuxnet and BlackEnergy3 that ultimately led to sabotaging industrial processes of their targets: Stuxnet forced centrifuges in Iran's Natanz nuclear facility to spin out of control and fail, and Black Energy3 led to a power outage for 225,000 Ukrainian power customers in December of 2015.
While TRITON/TRISIS was created to target a specific model and firmware version of Schneider's Triconex Tricon SIS, this type of attack could be retooled to target other major ICS/SCADA vendors' SIS products and customers, security experts say.
This new reality is not lost on Schneider, nor some of its competitors. "The tradecraft here … the idea now that there is a player with this kind of skill has to be an industry problem," says Andrew Kling, director of cyber security and software practices for Schneider Electric.
Less than two weeks after the attack first was made public by FireEye, ICS/SCADA vendor ABB issued an advisory for its customers about TRITON/TRISIS. "While currently we have no indication that a similar malware exists which is targeting other safety products, conceptually the attack scheme can also be used against any sufficiently similar safety system, incl. ABB systems," the ABB advisory said.
ABB also listed security recommendations for its customers to mitigate a similar attack, including segregating ICS networks, installing valid vendor patches to engineering system operating systems, and updating antivirus with new signatures for the malware.
Siemens' Harry Brian, product solution and security expert in the company's digital factory division, points to Siemens' secure software development lifecycle program, which includes software for its Simatic S7 industrial controllers, Simatic industrial PCs, Simatic Human Machine Systems Interface devices, Simatic PCS7, Scalance network devices, Simatics drives, and its Totally Integrated Automation Portal engineering software.
"Threats to Industrial Control Systems are taken seriously by Siemens," Brian said in an email response to questions about Siemens' view of a TRITON/TRISIS-type threat to its products, but did not comment on Siemens' plans or possible concerns about a TRITON/TRISIS-type threat targeting Siemens' SIS products.
Siemens' SIS family includes the Simatic Safety Integrated for Process Automation system.
He pointed to the company's internal CERT that fields and handles security vulnerability reports about its products, as part of its strategy for responding to malware threats in general. "Siemens works in conjunction with several other CERT organizations worldwide to coordinate threat intelligence and security vulnerability information," he said.
Siemens recommends defense-in-depth practices, software-patching, and running up-to-date versions of its products, according to Brian, as a way to protect against threats.
"TRISIS is the first time we've seen something that's gotten to the heart of the engineering department" in operations technology (OT), notes Rob Lee, CEO and founder of Dragos, whose firm has analyzed the TRITON/TRISIS malware. "If you have a safety system, regardless of whether it's a Triconex or not, you should be asking questions about what you should do" to secure it, he says.
Dean Weber, CTO of IoT security firm Mocana, argues that TRITON/TRISIS's targeting of plant safety systems should have come as no surprise: Stuxnet and BlackEnergy should have been the wakeup call for the threat of cyberattacks that lead to manipulating physical safety and processes in industrial plant, he says.
"We've been screaming about this for years: Stuxnet was the first … piece of code that attacked the safety systems," says Weber. "It was a compromise of a safety system. The centrifuges were shaking themselves apart ... and nobody saw it," Weber notes. BlackEnergy3 attackers also waged a denial-of-service attack, he notes, on the Ukraine energy firm's phone system center, which derailed restoration and communications efforts during the power outage.
Easier Ways In
While TRITON/TRISIS exposed another potential attack vector for critical infrastructure providers and industrial networks, there still are simpler ways for attackers to get in. The TRITON/TRISIS hackers had gathered some serious intel to understand the specific SIS running in the victim plant, and then presumably conducted intense reverse-engineering of the Triconex proprietary firmware and communications protocols.
"I think we shouldn't worry about too many people imitating this type of attack because it requires really high skill of professionals to reverse-engineer everything and write those scripts, those backdoors," says David Atch, vice president of research at CyberX, who has reverse-engineered the malware sample.
Atch believes the attack was the handiwork of Iranian nation-state hackers, in part due to timestamps he reconstructed from the malware code. Neither Schneider nor other companies that have studied the malware will reveal the victim nor name an attacker, however.
There are simpler ways to wreak havoc on safety systems than TRITON/TRISIS. "The interesting thing about safety and protection systems is they provide an opportunity for very simple, basic denial-of-service attacks," says Ralph Langner, founder and CEO of Langner Communications. "If your goal is to shut down a plant, there are easier ways to do that than attack the safety systems … not even to attack it, but to trigger a shutdown condition."
Reid Wightman, a vulnerability analyst at Dragos who has studied the malware, points to other more imminent threats to OT. "A bigger problem is that a lot of networks still have remote access and it's just a matter of their leaving the network perimeter too porous," he says. "If an attacker gets onto the network, there's generally not that much security around the controllers themselves. That's where I'd be more concerned about protecting, instead of a fairly sophisticated reverse engineering-y, backdoor installer-y, attack" such as TRITON/TRISIS, he says.
Even so, the attackers behind TRITON/TRISIS could strike again, experts say. "It's very obvious to us they made mistakes in the malware, and the direction they were going was to remove safety logic and not to crash the system," Dragos' Lee notes. And it's likely the attackers eventually will try again since their campaign was found out, he says.