Industrial Safety Systems in the Bullseye

  /     /     /  
Publicated : 22/11/2024   Category : security


Industrial Safety Systems in the Bullseye


TRITON/TRISIS attack on Schneider Electric plant safety systems could be re-purposed in future attacks, experts say.



No doubt it could have been far worse - even catastrophic. An apparent misstep by the attackers behind the malware now known as TRITON/TRISIS that was discovered embedded in a Schneider Electric customers safety system controller late last year fortunately failed, causing two of the safety instrumented systems (SISes) to shut down an industrial process in the plant. That outage led to the discovery of the customized backdoor malware in the Middle East industrial plant.
No smoking gun exploit to wreak physical damage in the plant was found, according to Schneider and other investigators who studied the attack. But TRITON/TRISIS exposed yet another breed of systems that attackers can now target to compromise industrial operations, the physical safety control systems – aka SISes - that provide automatic emergency shutdown of a plant process, such as an oil refinery process that exceeds safe temperatures.
If you want to attack a chemical plant or a refinery that has safety instrumented systems, thats the best place to start: you can put in a time bomb, says Eddie Habibi, founder and CEO of ICS security vendor PAS Global. A SIS is designed to prevent disasters. When it needs to, the SIS kicks in and brings down the plant safely and gradually. If it doesnt kick in [because its been compromised], bad things can happen.
TRITON/TRISIS joins the annals of game-changer industrial malware attacks like Stuxnet and
BlackEnergy3
that ultimately led to sabotaging industrial processes of their targets: Stuxnet forced centrifuges in Irans Natanz nuclear facility to spin out of control and fail, and Black Energy3 led to a power outage for 225,000 Ukrainian power customers in December of 2015.
While TRITON/TRISIS was created to target a specific model and firmware version of Schneiders Triconex Tricon SIS, this type of attack could be retooled to target other major ICS/SCADA vendors SIS products and customers, security experts say.
This new reality is not lost on Schneider, nor some of its competitors. The tradecraft here … the idea now that there is a player with this kind of skill has to be an industry problem, says Andrew Kling, director of cyber security and software practices for Schneider Electric.
Less than two weeks after the attack first was made public by FireEye, ICS/SCADA vendor ABB issued
an advisory
for its customers about TRITON/TRISIS. While currently we have no indication that a similar malware exists which is targeting other safety products, conceptually the attack scheme can also be used against any sufficiently similar safety system, incl. ABB systems, the ABB advisory said.
ABB also listed security recommendations for its customers to mitigate a similar attack, including segregating ICS networks, installing valid vendor patches to engineering system operating systems, and updating antivirus with new signatures for the malware. 
Siemens Harry Brian, product solution and security expert in the companys digital factory division, points to Siemens secure software development lifecycle program, which includes software for its Simatic S7 industrial controllers, Simatic industrial PCs, Simatic Human Machine Systems Interface devices, Simatic PCS7, Scalance network devices, Simatics drives, and its Totally Integrated Automation Portal engineering software. 
Threats to Industrial Control Systems are taken seriously by Siemens, Brian said in an email response to questions about Siemens view of a TRITON/TRISIS-type threat to its products, but did not comment on Siemens plans or possible concerns about a TRITON/TRISIS-type threat targeting Siemens SIS products.
Siemens SIS family includes the Simatic Safety Integrated for Process Automation system.
He pointed to the companys internal CERT that fields and handles security vulnerability reports about its products, as part of its strategy for responding to malware threats in general. Siemens works in conjunction with several other CERT organizations worldwide to coordinate threat intelligence and security vulnerability information, he said.
Siemens recommends defense-in-depth practices, software-patching, and running up-to-date versions of its products, according to Brian, as a way to protect against threats. 
TRISIS is the first time weve seen something thats gotten to the heart of the engineering department in operations technology (OT), notes Rob Lee, CEO and founder of Dragos, whose firm has analyzed the TRITON/TRISIS malware. If you have a safety system, regardless of whether its a Triconex or not, you should be asking questions about what you should do to secure it, he says.
Dean Weber, CTO of IoT security firm Mocana, argues that TRITON/TRISISs targeting of plant safety systems should have come as no surprise: Stuxnet and BlackEnergy should have been the wakeup call for the threat of cyberattacks that lead to manipulating physical safety and processes in industrial plant, he says.
Weve been screaming about this for years: Stuxnet was the first … piece of code that attacked the safety systems, says Weber. It was a compromise of a safety system. The centrifuges were shaking themselves apart ... and nobody saw it, Weber notes. BlackEnergy3 attackers also waged a denial-of-service attack, he notes, on the Ukraine energy firms phone system center, which derailed restoration and communications efforts during the power outage.
Easier Ways In
While TRITON/TRISIS exposed another potential attack vector for critical infrastructure providers and industrial networks, there still are simpler ways for attackers to get in. The TRITON/TRISIS hackers had gathered some serious intel to understand the specific SIS running in the victim plant, and then presumably conducted intense reverse-engineering of the Triconex proprietary firmware and communications protocols.
I think we shouldnt worry about too many people imitating this type of attack because it requires really high skill of professionals to reverse-engineer everything and write those scripts, those backdoors, says David Atch, vice president of research at CyberX, who has reverse-engineered the malware sample.
Atch believes the attack was the handiwork of Iranian nation-state hackers, in part due to timestamps he reconstructed from the malware code. Neither Schneider nor other companies that have studied the malware will reveal the victim nor name an attacker, however.
There are simpler ways to wreak havoc on safety systems than TRITON/TRISIS. The interesting thing about safety and protection systems is they provide an opportunity for very simple, basic denial-of-service attacks, says Ralph Langner, founder and CEO of Langner Communications. If your goal is to shut down a plant, there are easier ways to do that than attack the safety systems … not even to attack it, but to trigger a shutdown condition.
Reid Wightman, a vulnerability analyst at Dragos who has studied the malware, points to other more imminent threats to OT. A bigger problem is that a lot of networks still have remote access and its just a matter of their leaving the network perimeter too porous, he says. If an attacker gets onto the network, theres generally not that much security around the controllers themselves. Thats where Id be more concerned about protecting, instead of a fairly sophisticated reverse engineering-y, backdoor installer-y, attack such as TRITON/TRISIS, he says.
Even so, the attackers behind TRITON/TRISIS could strike again, experts say. Its very obvious to us they made mistakes in the malware, and the direction they were going was to remove safety logic and not to crash the system, Dragos Lee notes. And its likely the attackers eventually will try again since their campaign was found out, he says.
Related Content:
Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT
TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage
Lessons From The Ukraine Electric Grid Hack
 

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Industrial Safety Systems in the Bullseye