Malware targeting SIS industrial safety systems identified

20 December 2017

Cybersecurity specialist FireEye has given details of a cyber attack at a critical infrastructure organisation where the attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. The company said the attacker could be developing the capability to cause physical damage and shut down operations.

This malware, which FireEye calls TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers sold by Schneider Electric, often used in oil and gas facilities.

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS) and could prevent safety mechanisms from executing their intended function, resulting in “a physical consequence”, FireEye said.

The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a fail-safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in an MP diagnostic failure message.

Emerging technologies magazine WIRED, in a report on the incident, spoke to Rob Lee, the founder of security firm Dragos Inc. Lee said Dragos had observed the malware operating in the Middle East about a month ago, and had since been analysing it. He said that when Triton is installed in an industrial control system, the code looks for Schneider's Triconex equipment, confirms that it can connect to it, and then begins injecting new commands into its operations. If those commands aren't accepted by the Triconex components, it can crash the safety system.

In a statement to WIRED, Schneider Electric said it was investigating the incident. "Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system," the company said. "We are working closely with our customer, independent cybersecurity organizations and ICS-CERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors. It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment."

FireEye said the most likely scenario was that the attack was sponsored by a nation state. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.”

“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, US, and Israeli nation state actors. Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency,” FireEye said.