As the world’s largest industrial complexes undergo digitization efforts, and as the Industrial Internet of Things (IIoT) becomes integrated into processes of oversight, management, operation and production, the number of potential threats to this new way of business also rises. We wrote about some of the reasons to increase your cyber security in our previous article.
Evaluating and predicting the risk of cyber attacks on your industrial control system is becoming more difficult, as the designs of malicious software targeting it are evolving every day, becoming both more sophisticated and more insidious. Considering the complexity of operations in most critical infrastructures today, the challenges of cyber security are manifold, requiring detailed and vigilant monitoring of safety of the hardware being used and the security of the software that assists the production process.
Starting a decade ago, the number of cyber security attacks on industrial plants and similar critical infrastructure sites has been rising steadily, with different types of malware mainly targeting Industrial Control System (ICS) networks all over the world. The first large documented incident of this was in 2010, when Stuxnet targeted programmable logic controllers (PLCs) of an uranium enrichment site based in Iran, toying with the potential of an emergency of nuclear proportions.
Similar to this infamous attempt to take over the supervisory control and data acquisition (SCADA) systems of the Iranian nuclear program, was the Shamoon attack on a Middle Eastern hydrocarbon company back in 2012. Additionally, beginning in 2015, there have been recorded multiple instances of Industroyer attacks, with one target in specific – electrical generation systems based in Ukraine, with the goal of shutting off power to entire urban areas, overloading a plant grid or affecting the electrical power reservoirs worldwide. Understanding the level of risk being made by these cyberweapons to large companies, all of their employees and the wider population in general, the need of big industry to perfect the surveillance and protection of its already closely monitored security systems only grows.
A relatively new addition to the existing web of malicious software targeting core infrastructure of some of the world’s largest natural resources miners and suppliers is Triton (also known as TRISIS or Hatman). The news of Triton first broke in 2017, when the malware was detected in the systems of a Middle Eastern petrochemical plant.
With its purpose to reprogram and abuse the controls of the plant’s Triconex Safety instrumented System (SIS), this particular attack had the potential to cause a huge environmental impact on the marine world, and even possible loss of human life due to explosion probability.
Triton, named alternately the world’s most murderous and most dangerous malware, resurfaced once again in 2019, targeting other industrial technology network frames.
HOW DOES TRITON OPERATE?
As with all similar viruses, Triton aims to compromise the safety systems of industrial technology hardware, directly impacting machine operational security by infiltrating the software that controls it. A recent study carried out by ATS’s primary partner, Cisco Systems, and their IoT Security Lab, uncovers the details of the malware’s attack procedure.
Triton, after gaining access to Petro Rabigh’s internal IT network, further infiltrated the operational technology (OT) network, endangering an engineering station within the safety system. From this station, a dropper (trilog.exe) was launched, which was created by reverse-engineering the existing safety protocol – TriStation. Safety Instrumented Systems, such as Triconex, monitor process values and parameters to assess all potential risks within an industrial operating plan. When there is a significant error in the operational process, the purpose of the SIS is to activate alarm systems and regain control over production, often resulting in a temporary halt of manufacturing, which can lead to substantial loss in time and capital. Without these safety systems and their emergency protocols, environmental, financial, or employee safety hazards are significantly increased.
The goal of Triton’s dropper, which infiltrated the SIS, was to deliver harmful backdoor files to the plant’s Programmable Logic Controller (PLC). This would have given the attackers complete control over the system, which they intended to manipulate for their own purposes. Luckily, due to a handling error, the plant’s safety operating system shut down and stopped production, preventing a gas release and a potentially fatal explosion. What made this attack especially disturbing was that it went completely unnoticed by the control room engineers, only to be discovered by a team of Schneider Electric investigators several months later.
PLANS OF PROTECTION
Those working on the front lines of battling malware, such as Triton, have developed several systems to efficiently detect and counter these attacks. As the increasingly complex nature of malicious software targeting industrial sites shows, cybersecurity must be extended to all levels of operation.
This is done by applying different safety protocols to all areas of monitoring, management, operation, and production, including:
- ICS oversight
- Applying cybersecurity to OT infrastructure
- Network segmentation
ICS OVERSIGHT
Closely monitoring the Industrial Control System (ICS) of an industrial site involves several processes. It begins with asset inventory, followed by careful monitoring of control networks and data in real time. Experienced threat intelligence teams assist in creating secure infrastructures and carry out routine audits of the safety protocols. When implemented on a large and comprehensive scale, this aspect of cybersecurity ensures continued and reliable protection of industrial operations.
CYBER SECURITY APPLIED TO OT INFRASTRUCTURE
After performing an inventory of all the company’s hardware assets, securing the infrastructure also involves monitoring daily communication patterns. Observing network topologies helps to better track the flow and structure of the production process.
NETWORK SEGMENTATION
Another important aspect of protection against cyber threats is network partitioning. Experts recommend segmentation policies in line with IEC62443 zones and conduits. In the event of an attack, even if one area is exposed, the segmentation helps protect the entire industrial mainframe.
When considering the security of the whole industrial site—addressing both IT threats and various safety risks—threat detection techniques must be comprehensive. These techniques include protocol analysis, intrusion detection, behavioral analysis, and OT threat intelligence to identify asset vulnerabilities. They also support the collection and categorization of data, especially incident reports, which are crucial for performing routine safety checks and meeting standardized safety regulations in the industry.
LESSONS LEARNED
While the integration of IT, cloud, and industrial control networks (ICS) in the Fourth Industrial Revolution (Industry 4.0) has been pushing the industry boldly forward in recent decades, the trend of digitization of vertical and horizontal value chains has also posed unprecedented challenges to industrial cybersecurity.
Protection of internal networks involves increased monitoring of all automated processes, especially those involving cyber-physical systems (CPS) and IIoT, along with data transfers and cloud computing.
With adequate, tightly controlled oversight of industrial procedures, both IT and OT, the industry protects not only itself, but its consumers and the wider public.
