In the recent decade, malware has emerged that not only threatens data, but also physical equipment and human lives. Stuxnet was able to damage equipment in uranium enrichment facilities, while Industroyer targeted electrical grids in Kiev and caused massive blackouts. Now a new threat, Triton (or Trisis), seems to focus on Triconex safety-instrumented systems and distributed control systems. The Triton malware is able to disable Triconex safet features in order to prevent shutdowns or safety protocols in the event that hardware enters unsafe parameters.
According to FireEye, a security firm, “[FireEye subsidiary] Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems,” FireEye’s report on its new malware finding reads. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations.”
In fact, FireEye discovered Triton when an SIS entered a failed state safe without a clear indication of why. This was thought to be an accident, as much more damage might have been caused by keeping the SIS running and manipulating the DCS until it resulted in hardware failure.
Schneider Electric gave a statement to Wired magazine, responding to the initial report. “Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICS-CERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors. It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment.” In order to recreate this type of attack, significant customization to the code would need to take place, as SIS’ are highly customized.
How to Defend Against Cyberphysical Attacks
In addition to taking the usual precautions like firewalls and IT intrusion detection systems, InduSoft recommends tools like anomaly detection and broader machine analytics that include datapoints trending toward danger zones, even if they’re not triggering alarms currently.
Physical sabotage via malware might have many motivations. State attacks may happen covertly, disgruntled employees know how to access systems and which components are vulnerable, or saboteurs may simply threaten to break down machines if ransoms are not paid.
It’s critical to protect the physical aspect of industrial control systems as well as the software components. They must be able to communicate with one another to successfully warn operators of dangers, and IT protections should be in place to ensure that even if hackers gain access to some parts of the equipment there is adequate warning when machines are becoming less efficient, trending away from ideal performance, or experiencing uncommon malfunctions.