Fortunately, the Tricon system detected an anomaly and behaved as it was supposed to by taking the plant to a safe state via a shutdown, but Nozomi Networks’ researchers have demonstrated at Black Hat USA in Las Vegas that they are able to use the malware to implement new programs in Schneider Electric’s Triconex controller that would have seen the original attack succeed with potentially catastrophic consequences.
The industrial security research team approached the challenge like industrial cyber attackers, carrying out research online, including using Schneider Electric’s website, and engaging with industrial organisations’ operations and security staff to get a better understanding of what might work and how.
Nozomi researchers purchased components needed to build a working environment, in which to test the malware, from a number of online marketplaces, including ebay and Alibaba for under $10,000.
Having created a working system, the team reverse engineered the TriStation suite of software used on the engineering workstation that communicates with the safely instrumented system(SIS) controller. This, combined with malware analysis, enabled the researchers to dissect the TriStation proprietary communication protocol used by the Triconex controller.
The recreation of the Triton attack raises concerns about the possibility of future attacks. “We likely have not seen the last of Triton-like attacks,” Andrea Carcanco, co-founder of Nozomi told attendees of the Black Hat security conference.
The warning comes just days after researchers at Cybereason published a research report revealing that cyber attackers specialising in industrial control systems are fast, efficient and able to move between IT and OT environments.
In the live recreation of the industry’s first direct attack on an industrial safety system, Carcanco showed the Triton attack may have been much easier to achieve than originally thought and shared new tools to help in the fight against Triton.
He urged the community to unite on more aggressive efforts to address security gaps in critical operational networks.
“Triton failed. However, now, with a deeper understanding of the attack, we believe the effort, skills and financial resources needed to create the Triton malware were not as high as originally thought.
“We also know the attacker could have just as easily succeeded in injecting the final payload,” Carcano said. “This realisation, combined with the knowledge that a growing number of hackers have critical infrastructure in their sights, we as a community must move quickly on all fronts to strengthen the cyber security culture for the entire industry,” he said.
Carcano and researchers showed how Triton, one of the most sophisticated attacks seen against an industrial control system (ICS) to date, was developed, why the attack failed and what anyone seeking to secure critical infrastructure can do to help keep it safe.
The team’s findings are detailed in a whitepaper, which describes how the attack was executed and why developing the Triton malware may have been easier than previously believed.
The whitepaper also includes information about new paths adversaries are taking to access the attack tools and guidelines and tools to help protect against Triton and similar attacks.
The Triton malware is considered a milestone industrial cyber attack because it was the first to directly interact with, and control a safety system, raising the risk that a cyber attack could lead to unpredictable and dangerous plant outcomes, without the protection of a last line of safety defence.
In an advisory, the UK’s National Cyber Security Centre (NCSC) said Triton represents a further evolution in ICS attack methodology.
“As ICS becomes increasingly connected, threat actors will continue to develop their capabilities to exploit them. Such incidents underline the importance of organisations implementing effective mitigation approaches,” the advisory said.
Nathalie Marcotte, senior vice-president for industry services and cyber security at Schneider Electric, said it is important to recognise that Triton-type attacks can be made against any industrial control and safety system anywhere in the world, no matter who designed, engineered, built or operates it.
“No single entity can solve this global issue; rather, users, third-party suppliers, integrators, standards bodies, industry groups and government agencies must work together to help the global manufacturing industry withstand cyber attacks and protect the world’s most critical operations and the people and communities we all serve,” she said.