Malware targets industrial safety systems
15 January 2018
News has emerged of a malicious software designed specifically to enable the damage or destruction of industrial equipment. Reports say that the ‘Triton’ malware, which has been designed specifically to communicate with safety instrumented systems (SIS) and deploy alternative logic to these devices, has been used used against at least one organisation in the Middle East, although it's not known in what kind of industrial facility, or even in which country, the malware appeared.
Seemingly having been in existence since at least August 2017, Triton, which is also known as Trisis, works by infecting a Windows computer that is expected to be connected to a SIS device. The malware then injects code modifying the behaviour of the SIS device. However, at present the intended effect is unclear and investigation is still underway. The incident was originally disclosed by FireEye, when its subsidiary, Mandiant, which specialises in acting on and proactively protecting against advanced cyber security threats, responded to an incident at a critical infrastructure organisation.
Triton specifically targets Triconex products sold by Schneider Electric. In the reported incident, the Triconex systems entered a ‘fail safe’ state and the plant was shut down safely. However, there has been speculation that much more serious damage could have been caused.
Here in the UK, the National Cyber Security Centre is of the opinion that to deploy and successfully activate such malware, the attacker would need to know a target environment in-depth. The process of acquiring this knowledge may take several weeks or months, during which the attacker is likely to have used engineering documentation and enumeration of the network to further their goals.
While there is no information to suggest that the malware is more broadly deployable - indeed, it likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products it could signal the beginning of a new era. Triton is one of only a handful viruses reported to date capable of disrupting industrial processes – the first and most infamous being Struxnet – yet its very existence suggests that it won’t be long before other hackers will try and copy this type of attack.
For more information on Triton and tips on how to mitigate against this type of cyber security threat whatever your SIS device vendor visit the NCSE website at http://bit.ly/2DbMDsT