Trisis Malware shut down the industrial safety system of a plant in the Middle East mid-November.
Also known as Triton, the Trisis malware was the first attack of its kind. It targeted Schneider Electronic’s Triconex safety instrumented system (SIS). Triconex helps protect employees and the public by catching safety issues that might otherwise go unnoticed.
According to an Analysis of Safety System Targeted Malware published by Dragos, an industrial cyber security company, the exact safety implications of the malware are unknown.
“There could be risk to the safety as set points could be changed for when the safety system would or would not take control of the process in an unsafe condition,” Dragos said.
Should a safety issue arise, Triton could prevent the safety system from enacting a designated procedure. In an industrial situation, an inhibited safety system debilitates.
#Triton or #Trisis attack: there are some noteworthy similarities to #Stuxnet (in apparent goals and approach). @ControlGlobal #cybersecurity #infosec #malware #ICS https://t.co/GzbHwZoFPl
— The CyberWire (@thecyberwire) December 19, 2017
Wired quotes Rob Lee, founder of Dragos, explaining the danger of the malware.
“Everything could still appear to be working, but you’re now operating without that safety net,” said Lee. It depends on what the industrial process is doing, but you could absolutely have dozens of deaths.”
Cyber security Companies Respond
The malware is an issue cyber security companies addressed considerably due to its significance.
“The attack of an SIS cannot be taken lightly but should not be met with hype and fear” because “the impact of hype can be far-reaching and crippling,” said Dragos.
Dragos called Trisis a “learning moment” in relation to its status as the first malware to attack safety systems. They explained that it is a specifically designed malware that is not capable of a high-scaled attack. Trisis did not expose a vulnerability in Triconex.
The malware works based on an “understanding [of] how Triconex SIS devices function,” Dragos said. It uses “ladder logic to create the desired impact on the target SIS.”
SIS systems, though used in a variety of industries, are based on specialized services and industry knowledge, according to Schneider Electric. This protects industrial SIS systems from scaled attacks.
Dragos supported Schneider Electric:
“This was a clear attack on the community. There can be no victim blaming or product shaming that is reasonable nor will it make the community better. The implication is that adversaries are targeting SIS and defenders must live in this reality presented adapting as appropriate to ensure safety and reliability of the operations our society depend upon.”
Homeland Security News Wire called Triton a “watershed attack.” It ended when “the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check.”
Operators then found the hostile code. Although this is the only known attack of malware on safety systems and did not cause real damage, its existence remains a threat.
Source of Attack
“I don’t expect this to show up in Europe and North America, but the adversary has created a blueprint to go after safety systems,” Lee said. “That tradecraft is what they’re testing out.”
The cybersecurity company FireEye asserts that responsibility for the attack is unknown, a nation state likely sponsored it.
“The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor,” FireEye said.
Damage sustained industrially can have far-reaching effects beyond the scope of the plant. A chemical leak or burst pipe that a safety system fails to alert could result in environmental disaster.
Dragos offers tips for defense in their analysis that include putting safety systems on isolated networks and restricting access to safety controllers. Trisis is a sophisticated system, but cybersecurity companies are aware of it and forthcoming with information on how to counter it.