INDUSTRIAL CYBER SECURITY: CASE HISTORY ON THE TRITON ATTACK – THE WORLD’S MOST DANGEROUS MALWARE
As the world’s largest industrial complexes undergo digitization efforts, and as the Industrial Internet of Things (IIoT) becomes integrated into processes of oversight, management, operation and production, the number of potential threats to this new way of business also rises. We wrote about some of the reasons to increase your cyber security in our previous article.
Evaluating and predicting the risk of cyber attacks on your industrial control system is becoming more difficult, as the designs of malicious software targeting it are evolving every day, becoming both more sophisticated and more insidious. Considering the complexity of operations in most critical infrastructures today, the challenges of cyber security are manifold, requiring detailed and vigilant monitoring of safety of the hardware being used and the security of the software that assists the production process.
Starting a decade ago, the number of cyber security attacks on industrial plants and similar critical infrastructure sites has been rising steadily, with different types of malware mainly targeting Industrial Control System (ICS) networks all over the world. The first large documented incident of this was in 2010, when Stuxnet targeted programmable logic controllers (PLCs) of an uranium enrichment site based in Iran, toying with the potential of an emergency of nuclear proportions.
Similar to this infamous attempt to take over the supervisory control and data acquisition (SCADA) systems of the Iranian nuclear program, was the Shamoon attack on a Middle Eastern hydrocarbon company back in 2012. Additionally, beginning in 2015, there have been recorded multiple instances of Industroyer attacks, with one target in specific – electrical generation systems based in Ukraine, with the goal of shutting off power to entire urban areas, overloading a plant grid or affecting the electrical power reservoirs worldwide. Understanding the level of risk being made by these cyberweapons to large companies, all of their employees and the wider population in general, the need of big industry to perfect the surveillance and protection of its already closely monitored security systems only grows.
A relatively new addition to the existing web of malicious software targeting core infrastructure of some of the world’s largest natural resources miners and suppliers is Triton (also known as TRISIS or Hatman). The news of Triton first broke in 2017, when the malware was detected in the systems of a Middle Eastern petrochemical plant.
With its purpose to reprogram and abuse the controls of the plant’s Triconex Safety instrumented System (SIS), this particular attack had the potential to cause a huge environmental impact on the marine world, and even possible loss of human life due to explosion probability.
Triton, named alternately the world’s most murderous and most dangerous malware, resurfaced once again in 2019, targeting other industrial technology network frames.
HOW DOES TRITON OPERATE?
As all similar viruses do, Triton aims to compromise the safety systems of industrial technology hardware, directly impacting machine operational security by infiltrating the software that controls it. A recent study carried out by ATS’s primary partner, Cisco Systems and their IoT Security Lab, uncovers the details of the malware’s attack procedure.
Triton, after gaining access into Petro Rabigh’s plant’s internal IT network, went further to infiltrate the operational technology (OT) network, endangering an engineering station within the safety system. From this station, a dropper (trilog.exe) was launched, which was made by reverse-engineering the existing safety protocol – TriStation. Safety instrumented systems, such as Triconex, are used for monitoring process values and parameters in order to assess all potential risk within an industrial operating plan. Once there is a more than a marginal error to the operational process, the purpose of SIS is to activate alarm systems and take back control over the production procedure, essentially establishing safety by any means necessary, meaning, often, a temporary halt of manufacture, which results in significant loss in time and capital. However, without these safety instrumented systems and their emergency protocols, the potential of environmental, financial or employee safety hazards is significant.
The goal of Triton’s dropper, which infiltrated the SIS, was to deliver harmful backdoor files to the plant’s Programmable Logic Controller (PLC). Doing this would have given the attackers complete control over the system, which they intended to manipulate to their own devices. Luckily, due to a handling error, the plant’s safety operating system shut down and stopped production, preventing a gas release and an explosion with potentially fatal consequences. What made this attack especially disturbing was the fact it went completely unnoticed by the control room engineers, only to be discovered by a team of Schneider Electric investigators – several months later.
PLANS OF PROTECTION
Those working on the frontlines of battling malware such as Triton have developed several systems of ways to efficiently detect and counter these attacks. As the growingly complex nature of malicious software targeting industrial sites shows, cyber security has to be extended to all levels of operation.
This is done by applying different safety protocols to all areas of monitoring, management, operation and production, including, for example:
- ICS oversight
- Applying cyber security to OT infrastructure
- Network segmentation.
ICS OVERSIGHT
Closely monitoring the Industrial Control System of the industrial site involves several different processes. Beginning with asset inventory, the next step of the security procedure is watchful monitoring of control networks and data in real time, while relying on experienced threat intelligence teams to assist in creating secure infrastructures and carry out routine audits of the safety protocols. Done on a large and comprehensive scale, this aspect of cyber security results in continued, reliable protection of industrial operations.
CYBER SECURITY APPLIED TO OT INFRASTRUCTURE
Additionally, after performing an inventory of all the company’s hardware assets, securing the infrastructure also involves following communication patterns on a day-to-day basis, as well as observing network topologies in order to better monitor the flow and structure of the production process.
NETWORK SEGMENTATION
Another important aspect of protection against cyber threats is network partitioning. Experts recommend segmentation policies in line with IEC62443 zones and conduits, which, in the case of an attack, while one area might be exposed and affected, protects the whole of the industrial mainframe.
And when considering the security of the whole industrial site, in terms of both the discussed IT threats and different types of safety risks, this is where threat detection techniques must become all-encompassing. These techniques include protocol analysis, intrusion detection, behavioral analysis, and OT threat intelligence in order to detect asset vulnerabilities. These operations are also of service in the necessary compiling and categorizing data, especially incident reports, which are of great importance when having to routinely perform safety checks and report them in order to meet standardized safety regulations in your field of industry.
LESSONS LEARNED
While the integration of IT, cloud and industrial control networks (ICS) in the Fourth Industrial Revolution (Industry 4.0) has been pushing the industry boldly forward in recent decades, the trend of digitization of vertical and horizontal value chains has also posed unprecedented challenges to industrial cyber security.
Protection of internal networks involves increased monitoring of all automated processes, especially those involving cyber-physical systems (CPS) and IIoT, along with data transfers and cloud computing.
With adequate, tightly controlled oversight of industrial procedures, both IT and OT, the industry protects not only itself, but its consumers and the wider public.