FireEye [full disclosure, FireEye is a partner of Nozomi Networks], has reported that it has recently worked with an industrial operator whose facility was attacked by a new type of ICS malware, which they are calling TRITON. The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process. 

The attack is bold and notable because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Also, the type of SIS attacked is widely used and is commissioned in a consistent way across many industries.

Given the potential consequences of interference with an SIS, this milestone attack should be studied by your security and engineering teams. The security controls in place for your SIS should be reviewed — and likely increased.  Among the recommendation is to implement ICS network monitoring and anomaly detection.


TRITON Malware Reprograms SIS Controllers

The TRITON attack began when the threat actor gained remote access to an SIS engineering workstation, though how this was accomplished is not reported. The attacker then deployed the TRITON attack framework to reprogram the SIS controllers.

During the incident, some of the SIS controllers entered a failed state, which automatically shut down the industrial process. This prompted the operator to initiate an investigation, which was conducted by FireEye’s Mandiant team.

FireEye is moderately confident that the attacker inadvertently shutdown operations while developing the ability to cause physical damage. You can read their reasons for coming to this conclusion, and many other important details about the attack, in the FireEye blog post on TRITON.

While, fortunately, no physical damage or safety incident occurred, this attack represents a step-up in sophisticated ICS cyberattacks.  It is the first known malware targeting SIS, and only the fifth malware known to specifically target ICS (after Stuxnet, Havex / Dragonfly, Blackenergy2/3, and Industroyer / CrashOverride.)

The Threat Actor and the Target Equipment Are Not the Point

Both FireEye and other analysts speculate that the threat actor in this attack is a nation state, but they do not identify a particular one. The reasons for this belief are:

  • The target was a critical infrastructure operator.
  • The attack did not include a monetary goal.
  • The technical resources required, both in terms of cyber security expertise and engineering expertise, were substantial.

The SIS system that was attacked was a Schneider Electric Triconex Safety Instrumented System (hence the malware moniker “TRITON”, also known as “TRISIS”.)  However, the malware was not designed specifically for Triconex, it was designed because the target organization was using Triconex.

Whether or not you think your operation would ever be the target of a nation state, and whether or not you use the Triconex SIS, isn’t the key point.  Rather, since a SIS has been successfully attacked, it’s important to review what happened and evaluate your defenses in light of this incident.

Effective Defenses for TRITON

To defend against TRITON, FireEye and Nozomi Networks recommend these defenses:

  • Segregate the safety system network from the process control and information system networks. For example, ISA-99 / IEC 62443 uses the concepts of zones and conduits, where conduits control the flow of data between zones.
  • Do not dual-home engineering workstations to any other process control or information system network.
  • Use hardware features that provide physical controls. In this case, the Triconex physical key was left in PROGRAM mode. Instead, it should be locked and alerts and a change management process should be in place for changes to the key position.
  • Limit data flow from the SIS to applications to unidirectional outbound traffic only.
  • Limit data flows from servers or workstations to the SIS using application whitelisting and access control measures.
  • Monitor ICS traffic for unexpected communication flows and other anomalous activity and investigate promptly.

How Hybrid Threat Detection Would Help

To detect unexpected communication flows and anomalous activity, passive ICS networking monitoring can be used, such as that provided by our SCADAguardian product. And, one aspect of our solution that I am shamelessly calling out here, is its hybrid threat detection capabilities.

Hybrid threat detection means that our solution uses both behavior-based anomaly detection, plus rules-based anomaly detection, and correlates information between the two approaches, to provide rapid threat detection.

In the case of TRITON, SCADAguardian would quickly identify any changes in standard communication behavior. It would also compare traffic with malware signatures provided by YaraRules, and correlate a sequence of alerts into a consolidated incident, helping operators quickly understand an issue.

With TRITON, it’s true that at the time of the initial attack, a YaraRule for it did not exist. Now, however, FireEye has provided a rule, and it is simple to incorporate it into SCADAguardian, as shown below.


SCADAguardian users can cut and paste new malware YaraRules directly into the product,
or receive them as updates from Nozomi Networks.

Finally, SCADAguardian’s hybrid threat detection also includes a robust Assertion capability. Assertions are custom questions that can be asked of a system and they can also be used to initiate and automate remediation responses. Operations staff can use these for threat hunting, monitoring and remediation that is unique to their installation.

Don’t Ignore Cyber security Best Practices

The TRITON incident reinforces the need for basic and sophisticated controls for ICS environment. On the one hand, it’s disappointing that some basic cyber security controls, such as network segmentation, and using physical defenses, such as the physical Triconex key, were not being used.

It’s also unfortunate that Schneider Electric is being singled out by this landmark incident, when the company is very proactive about ICS cyber security. It seems their own cyber security recommendations were not being followed at the installation in question, and it should be noted that Schneider Electric has “designed- in” cyber security in their newer products.

The reality, however, is that older equipment and legacy networking schemas are in common usage. Asset owners should ask, given your infrastructure today, how can you be proactive about cyber security in the face of an attack such as TRITON? Do you have the controls in place to detect or block such an attack?  Are you ready to rapidly intervene before damage could be done?

Fortunately, in the incident documented by FireEye, no one was hurt, and the Triconex SIS, executed a safe process shutdown. And, kudos to the operator for instigating a professional investigation, which now everyone has the benefit of learning from.

Let’s hope this is the last major ICS cyber security story of 2017. Given the past few Decembers, a thwarted attack on critical infrastructure is a much better way to end the year then learning of a cyber-initiated electric grid outage!

Related Content to Download

The mitigation brief below, while for Industroyer,  explains how our passive ICS monitoring solution uses hybrid threat detection to identify persistent threats and remediate them before damage can be done. The same capabilities apply to TRITON.

Nozomi Networks Industroyer Mitigation Brief

This brief explains:
3 main phases of Industroyer
How anomaly detection mitigates impacts
What YaraRules are and how they help
How “assertions” facilitate threat hunting
How real-time ICS monitoring provides cyber resiliency



Related Links