In December 2017 it became clear that process safety systems are not immune to cyber attacks. That’s when we learned that a new form of malware (dubbed Trisis, Triton, or HatMan, depending on who you ask) had made its way into a Triconex safety controller at an oil and gas installation in the Middle East.
Since the incident became public, it has become increasingly clear that the ramifications of this breach extend far beyond a single customer site or a single vendor. In today’s increasingly connected world, concerns about the possibility of attacks on industrial systems are escalating. This issue extends outside the industrial sector to also affect smart cities and the power and utilities infrastructure. On the positive side, the incident opened a whole new dimension and level of discussion around cyber security for SCADA and industrial control systems.
The industry has applauded Schneider Electric, the supplier of the affected system in this case, for its transparent and proactive approach in responding to this threat.
Cyber-security vendors like FireEye and Dragos were also helpful in sharing information about Triton with the rest of the industrial and cyber-security community. The incident underscores the importance of simple procedures and management of change practices that can be put into place, typically with very little investment, to avoid this kind of attack in the future.
However, it’s hard to be dismissive of this new form of malware and how it might be used to affect industrial plants. The attack’s sophistication and the attack vector demonstrate that the incident is not unique to Triconex controllers; and could be replicated on any process safety system.
A key step that a threat actor might take would be to reprogram a safety system to no longer respond to an abnormal situation. This would have the potential to result in large-scale damage and possible loss of life. The global industrial process and manufacturing industry must heed this as a warning.
The Attack Unfolds
We know little about the installation, other than it was an end user presumably in the hydrocarbon processing industry located somewhere in the Middle East. The end user involved was the target of a highly sophisticated and prolonged cyber-attack that resulted in a safe plant shut-down in August 2017. While the end user’s ten-year-old safety controller was breached, the Tricon safety system detected an anomaly and behaved as it was supposed to; taking the plant to a safe state via a shutdown.
A potentially serious incident was thus avoided and Schneider Electric responded immediately to the end user’s request for assistance. Since then, all evidence gathered by investigators from Schneider Electric, FireEye (a cyber-security forensics firm), the US Department of Homeland Security, FBI, and other US agencies indicates the breach was enabled through multiple security lapses. This highlights the need for the industry to come together to enable a stronger security culture.
On December 14, following the distribution of a customer advisory from Schneider Electric, FireEye made its Triton report available to the public. FireEye provided a good summary of the attack in a recent blog post, which stated, “The attacker gained remote access to an SIS engineering work-station and deployed the Triton attack framework to reprogram the SIS controllers. During the incident, an SIS controller entered a failed-safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation.”
The attacker gained access to the safety system through the distributed control system (DCS) that was in some manner integrated with the process safety system. Once inside the safety system engineering workstation, the attacker tried to reconfigure the system. This ultimately caused a trip and activated the safety system, initiating a safe shutdown as it was designed to do. It seems clear from the reports from both FireEye and Dragos that this shutdown was accidental on the part of the attacker, who was really trying to reconfigure the safety system logic so the system would respond improperly in the event of an abnormal plant situation.
A Targeted Attack Most Likely from a Nation State
Triton was a highly targeted attack so, in this manner, resembled the Stuxnet attack on the Iranian nuclear centrifuges. Schneider Electric, FireEye, the US Department of Homeland Security, and others conducted a thorough investigation. This revealed that the attacker(s) gained specific knowledge of the safety system installation in order to conduct this attack. Evidence indicates that the attacker(s) exploited multiple security lapses to gain remote connectivity to the safety controller, from which they initiated the attack.