Yet another cyber attack on a critical infrastructure installation ought to send yet another warning to operators of industrial control systems (ICS) that it is long past time to, as they say, harden their defenses.
The attack, reportedly on a facility somewhere in the Middle East, was reported in early December by the Mandiant division of FireEye, and later by Dragos. It targeted Triconex safety instrumented system (SIS) controllers made by Schneider Electric. Mandiant labeled the malware TRITON; Dragos named it TRISIS.
SIS controllers are supposed to do what the name implies: make sure an ICS is operating safely, and if it isn’t, shut it down to prevent bad things like damage or destruction of the equipment, potentially life-threatening accidents, or an environmental disaster.
Taking control of them would allow an attacker to cause physical damage, Mandiant said.
Fortunately, this attack failed. The SIS controllers detected an anomaly and entered a fail state—much like a computer crash—which shut down operations before the intruders could launch an attack, and prompted the owners to investigate.
According to Mandiant, the owners found that “application code between redundant processing units failed a validation check.” Consequently, “the targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shut down operations.”
The SIS controllers didn’t actually detect the malware, which was a remote access Trojan (RAT). But Michael Fabian, principal consultant with the Synopsys Software Integrity Group (SIG), said it did detect an anomaly—the validation error cited by Mandiant. “So it initiated a clean shutdown. That’s what it’s designed to do,” he said.
Mandiant didn’t attribute the attack to any person or organization specifically but said it was “consistent with a nation-state preparing for an attack.”
And while it acknowledged that this is just the latest in a long string of attacks against ICSs—it mentioned Stuxnet (which destroyed a significant portion of Iranian nuclear facilities in 2010) and Industroyer (which brought down a portion of the energy grid in Ukraine in 2016)—Mandiant said the ability to disable safety systems could cause high-impact damage.
So how ominous is the threat? Does it reach a possible catastrophic level, where whole sections of the nation go dark for weeks or months? Or is it more like any number of natural disasters—serious, but not disabling the grid long-term?
Opinions tend to be all over the map.
“Cyber Pearl Harbor” warnings have been issued multiple times over the past decade—most famously by then Defense Secretary Leon Panetta in October 2012, and then 4 years later in December 2016 by Adm. James Stavridis, former NATO supreme allied commander.
Both said a likely target would be the U.S. energy grid.
“It is going to come at either the grid or the financial sector,” Stavridis told CNBC at the time.
“It is the greatest mismatch between the level of threat, very high, and the level of preparation, quite low.”
The grid is indeed a very attractive target if you want to cripple anything from an enterprise to a nation-state.
Heat, lights, refrigeration, water, factories, financial services, power equipment, groceries, retail, entertainment, and yes, the internet—all depend on the grid.
But most experts say TRITON/TRISIS is likely not a catastrophic threat. Both Mandiant and Dragos said this type of attack would be difficult to scale, because attackers would have to write new code for every facility they targeted.
“Each SIS is unique and to understand process implications would require specific knowledge of the process,” wrote Dragos CEO Robert M. Lee on the company blog. “This means that this malware must be modified for each specific victim reducing its scalability.”
But with the TRITON code now in the wild, other attackers can use it as a template.
“To my knowledge, it is the only in-the-wild exploit that combines standard PC (x86) code to attack a remote PowerPC system,” said Reid Wightman, vulnerability researcher at Dragos, “so just from an embedded point of view it is a pretty big deal. The fact that it is attacking a safety controller is also entirely new.”
Joe Weiss, managing partner at Applied Control Solutions, said the attack was significant in that it was the first time a RAT had been able to get into an SIS controller. But other than that, he said, it was low-level.
“Stuxnet was successful,” he said. “This was a total failure.”
But he and others also say this illustrates how lacking in basic security most ICS installations are—a majority lack fundamentals like encryption and authentication.
Ironically, Fabian said, if the facility operators had used a safety protocol they likely did have—a key switch—correctly, they might have prevented the attack altogether.
“A lot of systems have a key switch, like a hardware interlock,” he said. “It won’t accept changes if it’s in run mode, without a second verification. But a lot of operators are lazy—the key switch is somewhere out in the field, so they leave it in program mode so they can make changes remotely and don’t have to go out there to do it.”
And that, of course, leaves it vulnerable to remote hackers.
James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology, said the ICS industry still hasn’t adapted to the fact that it is now part of the connected world.
“Many ICS networks were designed before there was an appreciation for cyber hygiene, authentication mechanisms, or encryption,” he said. “So, many lack foundational defensive layers.”
That, he said, has led to an increasing risk of major damage. If they fail to improve their security, “their networks will be compromised—they likely already are infected—and eventually, a threat actor will activate their malware’s destructive capabilities before personnel discover the malware or RAT.”
Beyond that is the reality that many ICS facilities integrate safety systems and distributed control systems (DCSs), which can undermine the security of both.
Mandiant said integrating DCSs and SISs has been attractive to ICS operators because of “lower cost, ease of use, and benefits achieved from exchanging information between the DCS and SIS.”
But, it said, TRITON “acutely demonstrates the risk associated with integrated designs.”
Weiss agrees. “Mixing control and safety is unsafe because you effectively lose safety,” he wrote on the Unfettered blog.
Fabian said it’s a bit more complicated than that. “Segmentation is good, but it’s not totally possible,” he said. “If it’s an oil refinery, you have all of these separate entities like boilers etc. It’s like little cells that are all connected.
“You need plant automation that doesn’t let all the cells talk to the safety system because they don’t need to. But some elements of the DCS send alerts to the SIS.”
“You just have to govern that traffic,” he said.
One thing everybody agrees on is that attacks like this will continue.
Weiss said even though this one failed, “there was some very interesting stuff they were able to accomplish. There is no motivation for something like this other than physical destruction—and now Iran is aware of it.”
But Fabian said he remains hopeful, given that there is a geopolitical element to attacking a nation’s critical infrastructure. “We’re not going to just sit there and take it,” he said, “and I think our (cyber) capabilities are probably more significant than that of others.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.