Без рубрики

Fortunately, the Tricon system detected an anomaly and behaved as it was supposed to by taking the plant to a safe state via a shutdown, but Nozomi Networks’ researchers have demonstrated at Black Hat USA in Las Vegas that they are able to use the malware to implement new programs in Schneider Electric’s Triconex controller that would have seen the original attack succeed with potentially catastrophic consequences.

The industrial security research team approached the challenge like industrial cyber attackers, carrying out research online, including using Schneider Electric’s website, and engaging with industrial organisations’ operations and security staff to get a better understanding of what might work and how.

Nozomi researchers purchased components needed to build a working environment, in which to test the malware, from a number of online marketplaces, including ebay and Alibaba for under $10,000.

Having created a working system, the team reverse engineered the TriStation suite of software used on the engineering workstation that communicates with the safely instrumented system(SIS) controller. This, combined with malware analysis, enabled the researchers to dissect the TriStation proprietary communication protocol used by the Triconex controller.

The recreation of the Triton attack raises concerns about the possibility of future attacks. “We likely have not seen the last of Triton-like attacks,” Andrea Carcanco, co-founder of Nozomi told attendees of the Black Hat security conference.

Read more about ICS security

The warning comes just days after researchers at Cybereason published a research report revealing that cyber attackers specialising in industrial control systems are fast, efficient and able to move between IT and OT environments.

In the live recreation of the industry’s first direct attack on an industrial safety system, Carcanco showed the Triton attack may have been much easier to achieve than originally thought and shared new tools to help in the fight against Triton.

He urged the community to unite on more aggressive efforts to address security gaps in critical operational networks.

“Triton failed. However, now, with a deeper understanding of the attack, we believe the effort, skills and financial resources needed to create the Triton malware were not as high as originally thought.

“We also know the attacker could have just as easily succeeded in injecting the final payload,” Carcano said. “This realisation, combined with the knowledge that a growing number of hackers have critical infrastructure in their sights, we as a community must move quickly on all fronts to strengthen the cyber security culture for the entire industry,” he said.

Reasearching Triton

Carcano and researchers showed how Triton, one of the most sophisticated attacks seen against an industrial control system (ICS) to date, was developed, why the attack failed and what anyone seeking to secure critical infrastructure can do to help keep it safe.

The team’s findings are detailed in a whitepaper, which describes how the attack was executed and why developing the Triton malware may have been easier than previously believed.

The whitepaper also includes information about new paths adversaries are taking to access the attack tools and guidelines and tools to help protect against Triton and similar attacks.

The Triton malware is considered a milestone industrial cyber attack because it was the first to directly interact with, and control a safety system, raising the risk that a cyber attack could lead to unpredictable and dangerous plant outcomes, without the protection of a last line of safety defence.

In an advisory, the UK’s National Cyber Security Centre (NCSC) said Triton represents a further evolution in ICS attack methodology.

“As ICS becomes increasingly connected, threat actors will continue to develop their capabilities to exploit them. Such incidents underline the importance of organisations implementing effective mitigation approaches,” the advisory said.

Nobody is safe

Nathalie Marcotte, senior vice-president for industry services and cyber security at Schneider Electric, said it is important to recognise that Triton-type attacks can be made against any industrial control and safety system anywhere in the world, no matter who designed, engineered, built or operates it.

“No single entity can solve this global issue; rather, users, third-party suppliers, integrators, standards bodies, industry groups and government agencies must work together to help the global manufacturing industry withstand cyber attacks and protect the world’s most critical operations and the people and communities we all serve,” she said.

10.08.2018
security-malware-adobe_searchsitetablet_520X173

Brace for more Triton-like attacks, researchers warn

Fortunately, the Tricon system detected an anomaly and behaved as it was supposed to by taking the plant to a safe state via a shutdown, but Nozomi […]
02.08.2018
personalized-search-lead-760x400

5 Ways to Optimize for Personalized Search

Everyone is different. So why should Google’s search results be the same for every individual? That, in a nutshell, is the idea behind search personalization. It […]
20.07.2018
hybrid_cloud-100584025-large

How User Behavior In Search Works: Everything You Need to Know

In this age of search, it’s not enough to know what ranking signals may-or-may-not be at play.You also need to understand the environment in which those […]
11.07.2018
difficult_easy_simplify_shortcut_solution_thinkstock_175946520-100749258-large

4 essential features of modern low-code development platforms

Today’s low-code app development platforms can play an essential role in any business undergoing digital transformation. As needs ebb and flow and new market opportunities present […]
02.07.2018
automation-100712884-large

Test automation comes of age

If you work in a software development organization, no doubt you’ve heard quite a bit about test automation in recent years. That’s because test automation, which […]
21.06.2018
self-signed-ssl-760x400

Risks in Using Self-Signed SSL Certificates

A reader reported receiving a message in Google Search Console about a self-signed SSL certificate. Google has been sending warnings about this for years. A self-signed […]
14.06.2018
no-follow-links-ranking-760x400

No Follow Links and Search Ranking

A discussion in a private Facebook group centered on whether no follow links had any SEO value. One member claimed he ranks web pages exclusively with no-follow links. […]
07.06.2018
law-firm-seo-760x400

Law Firm SEO: 5 Things You Can Do to Start Seeing Traffic & Results

Is your law firm website guilty of bad SEO? I’ve witnessed it far too many times. Law firm got bad advice. The law firm didn’t do any link […]
25.05.2018
seo-branding-760x400

The Secret to More Traffic & Better SEO? Branding

In certain SEO tribes, there is a notion that as long as a company ranks for certain keywords, they don’t need to worry too much about […]
17.05.2018
How-to-Setup-Google-Analytics-Goal-Tracking-3-760x400

How to Set up Google Analytics Goals & 7 Tips to Get Ahead

Determining objectives for a website is essential in justifying the need for a website in the first place. Creating goals for these objectives in your analytics […]