In December, a new malware variant specifically designed to attack industrial safety systems was identified as being responsible for causing an operational outage at a critical infrastructure facility in the Middle East.
The malware, dubbed TRITON, or TRISIS, targets Triconex safety instrumented system (SIS) controllers. It replaces the logic of SIS controllers, an action which can prevent the safety system from functioning correctly and result in physical consequences. TRITON represents the growing escalation of cyber threats being developed to target industrial control systems (ICS).
In addition to TRITON, previous variants of industrial malware have focused on gaining access to programmable logic controllers (PLCs), not SIS controllers specifically. Since PLCs are used to operate manufacturing processes, water and wastewater treatment facilities, energy distribution and more, ICS malware places facilities, personnel and the environment at risk.
For example, malware could reprogram these devices to shut valves, modify formulations for pharmaceutical, food and beverage products, display false readings, etc.
To date, five ICS-specific malware variants have been discovered.
- Stuxnet (2010): This was first malware to specifically target supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs). It
was responsible for causing substantial damage to Iran’s nuclear program. - Havex (2013): A remote access Trojan (RAT) was used as part of a widespread espionage campaign targeting ICS environments across numerous industries. It scanned infected systems to locate SCADA or ICS devices on the network and sent data back to the attackers. Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems.
- BlackEnergy 2 (2014): This was modified from an existing malware variant called BlackEnergy to target human-machine interface (HMI) software from a handful of vendors, including General Electric, Advantech/Broadwin and Siemens. It was used in the cyber attack that took down the Ukrainian power grid in December 2015.
- Crash Override/Industroyer (2016): This is the first known malware designed to attack electric grid systems and was used in the December 2016 hack on a transmission substation in the Ukraine. It is new and far more advanced than the general-purpose tools used to attack Ukraine’s power grid in 2015. What makes Crash Override so sophisticated is its ability to use the same protocols that individual electric grid systems rely on to communicate with one another, sometimes called control-plane protocols. Stuxnet and Triton also access these native protocols.
- Triton (2017): Since most ICS environments suffer from lack of visibility, it is difficult for organizations to identify malicious activities once an adversary gains access to the operational network. Fortunately, new technologies can detect and respond to threats like the TRITON malware in real time.
Following is an analysis of an ICS malware attack. During network and system infiltration, the adversary gains a foothold in the network and starts reconnaissance activity:
A remote connection may be used to infiltrate the industrial network. Once inside the network, the adversary can scan the network to identify ICS devices. Since ICS networks do not use authentication or encryption, an adversary can access any system—including operator or engineering workstations, HMIs, Windows servers or controllers—to identify assets to target in the attack.
Next, data exfiltration involves extracting information gathered via reconnaissance to an off-site location. An adversary could either pass the information internally from different systems to a single location where it can be extracted or open a connection to an external system for exfiltration.
In the next step, malware is installed on a workstation with access to the targeted ICS system(s) using knowledge gathered during network and system infiltration and data exfiltration. This can be accomplished via the network or by using an infected USB drive.
In the final stage, the malware replaces existing logic and uploads new ladder logic to the controller. Since this logic determines how automated processes are executed, changing or replacing it with malicious payloads can result a wide range of operational disruptions and even physical damage to systems, the environment and humans.
Here are steps to take to prevent a cyber attack on an ICS. This level of visibility can provide real-time alerts with detailed information. Meanwhile, a comprehensive audit trail can enable security professionals to accurately identify the source of an attack, the commands used and devices impacted. This intelligence is critical for early detection of threats as well as determining how to respond and shorten mitigation and recovery times.
As the explanation in this article demonstrates, a successful cyber attack is a multi-stage process. To detect ICS security threats, the following capabilities are required:
- Detecting remote connections, network scanning, unauthorized system access and attempts to read controller information
- Monitoring communications between industrial systems on the network and to external systems
- Identifying any changes to controller logic, configuration and state