Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Industrial Safety Systems in the Bullseye

TRITON/TRISIS attack on Schneider Electric plant safety systems could be re-purposed in future attacks, experts say.

No doubt it could have been far worse - even catastrophic. An apparent misstep by the attackers behind the malware now known as TRITON/TRISIS that was discovered embedded in a Schneider Electric customer's safety system controller late last year fortunately failed, causing two of the safety instrumented systems (SISes) to shut down an industrial process in the plant. That outage led to the discovery of the customized backdoor malware in the Middle East industrial plant.

No smoking gun exploit to wreak physical damage in the plant was found, according to Schneider and other investigators who studied the attack. But TRITON/TRISIS exposed yet another breed of systems that attackers can now target to compromise industrial operations, the physical safety control systems – aka SISes - that provide automatic emergency shutdown of a plant process, such as an oil refinery process that exceeds safe temperatures.

"If you want to attack a chemical plant or a refinery that has safety instrumented systems, that's the best place to start: you can put in a time bomb," says Eddie Habibi, founder and CEO of ICS security vendor PAS Global. "A SIS is designed to prevent disasters. When it needs to, the SIS kicks in and brings down the plant safely and gradually. If it doesn't kick in [because it's been compromised], bad things can happen."

TRITON/TRISIS joins the annals of game-changer industrial malware attacks like Stuxnet and BlackEnergy3 that ultimately led to sabotaging industrial processes of their targets: Stuxnet forced centrifuges in Iran's Natanz nuclear facility to spin out of control and fail, and Black Energy3 led to a power outage for 225,000 Ukrainian power customers in December of 2015.

While TRITON/TRISIS was created to target a specific model and firmware version of Schneider's Triconex Tricon SIS, this type of attack could be retooled to target other major ICS/SCADA vendors' SIS products and customers, security experts say.

This new reality is not lost on Schneider, nor some of its competitors. "The tradecraft here … the idea now that there is a player with this kind of skill has to be an industry problem," says Andrew Kling, director of cyber security and software practices for Schneider Electric.

Less than two weeks after the attack first was made public by FireEye, ICS/SCADA vendor ABB issued an advisory for its customers about TRITON/TRISIS. "While currently we have no indication that a similar malware exists which is targeting other safety products, conceptually the attack scheme can also be used against any sufficiently similar safety system, incl. ABB systems," the ABB advisory said.

ABB also listed security recommendations for its customers to mitigate a similar attack, including segregating ICS networks, installing valid vendor patches to engineering system operating systems, and updating antivirus with new signatures for the malware. 

Siemens' Harry Brian, product solution and security expert in the company's digital factory division, points to Siemens' secure software development lifecycle program, which includes software for its Simatic S7 industrial controllers, Simatic industrial PCs, Simatic Human Machine Systems Interface devices, Simatic PCS7, Scalance network devices, Simatics drives, and its Totally Integrated Automation Portal engineering software. 

"Threats to Industrial Control Systems are taken seriously by Siemens," Brian said in an email response to questions about Siemens' view of a TRITON/TRISIS-type threat to its products, but did not comment on Siemens' plans or possible concerns about a TRITON/TRISIS-type threat targeting Siemens' SIS products.

Siemens' SIS family includes the Simatic Safety Integrated for Process Automation system.

He pointed to the company's internal CERT that fields and handles security vulnerability reports about its products, as part of its strategy for responding to malware threats in general. "Siemens works in conjunction with several other CERT organizations worldwide to coordinate threat intelligence and security vulnerability information," he said.

Siemens recommends defense-in-depth practices, software-patching, and running up-to-date versions of its products, according to Brian, as a way to protect against threats. 

"TRISIS is the first time we've seen something that's gotten to the heart of the engineering department" in operations technology (OT), notes Rob Lee, CEO and founder of Dragos, whose firm has analyzed the TRITON/TRISIS malware. "If you have a safety system, regardless of whether it's a Triconex or not, you should be asking questions about what you should do" to secure it, he says.

Dean Weber, CTO of IoT security firm Mocana, argues that TRITON/TRISIS's targeting of plant safety systems should have come as no surprise: Stuxnet and BlackEnergy should have been the wakeup call for the threat of cyberattacks that lead to manipulating physical safety and processes in industrial plant, he says.

"We've been screaming about this for years: Stuxnet was the first … piece of code that attacked the safety systems," says Weber. "It was a compromise of a safety system. The centrifuges were shaking themselves apart ... and nobody saw it," Weber notes. BlackEnergy3 attackers also waged a denial-of-service attack, he notes, on the Ukraine energy firm's phone system center, which derailed restoration and communications efforts during the power outage.

Easier Ways In

While TRITON/TRISIS exposed another potential attack vector for critical infrastructure providers and industrial networks, there still are simpler ways for attackers to get in. The TRITON/TRISIS hackers had gathered some serious intel to understand the specific SIS running in the victim plant, and then presumably conducted intense reverse-engineering of the Triconex proprietary firmware and communications protocols.

"I think we shouldn't worry about too many people imitating this type of attack because it requires really high skill of professionals to reverse-engineer everything and write those scripts, those backdoors," says David Atch, vice president of research at CyberX, who has reverse-engineered the malware sample.

Atch believes the attack was the handiwork of Iranian nation-state hackers, in part due to timestamps he reconstructed from the malware code. Neither Schneider nor other companies that have studied the malware will reveal the victim nor name an attacker, however.

There are simpler ways to wreak havoc on safety systems than TRITON/TRISIS. "The interesting thing about safety and protection systems is they provide an opportunity for very simple, basic denial-of-service attacks," says Ralph Langner, founder and CEO of Langner Communications. "If your goal is to shut down a plant, there are easier ways to do that than attack the safety systems … not even to attack it, but to trigger a shutdown condition."

Reid Wightman, a vulnerability analyst at Dragos who has studied the malware, points to other more imminent threats to OT. "A bigger problem is that a lot of networks still have remote access and it's just a matter of their leaving the network perimeter too porous," he says. "If an attacker gets onto the network, there's generally not that much security around the controllers themselves. That's where I'd be more concerned about protecting, instead of a fairly sophisticated reverse engineering-y, backdoor installer-y, attack" such as TRITON/TRISIS, he says.

Even so, the attackers behind TRITON/TRISIS could strike again, experts say. "It's very obvious to us they made mistakes in the malware, and the direction they were going was to remove safety logic and not to crash the system," Dragos' Lee notes. And it's likely the attackers eventually will try again since their campaign was found out, he says.

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...