New TRITON ICS Malware is Bold and Important

This article was updated on October 1, 2019.

FireEye [full disclosure, FireEye is a partner of Nozomi Networks], has reported that it has recently worked with an industrial operator whose facility was attacked by a new type of ICS malware, which they are calling TRITON. The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.

The attack is bold and notable because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Also, the type of SIS attacked is widely used and is commissioned in a consistent way across many industries.

Given the potential consequences of interference with an SIS, this milestone attack should be studied by your security and engineering teams. The security controls in place for your SIS should be reviewed — and likely increased.  Among the recommendation is to implement ICS network monitoring and anomaly detection.

TRITON Malware Reprograms SIS Controllers

The TRITON attack began when the threat actor gained remote access to an SIS engineering workstation, though how this was accomplished is not reported. The attacker then deployed the TRITON attack framework to reprogram the SIS controllers.

During the incident, some of the SIS controllers entered a failed state, which automatically shut down the industrial process. This prompted the operator to initiate an investigation, which was conducted by FireEye’s Mandiant team.

FireEye is moderately confident that the attacker inadvertently shutdown operations while developing the ability to cause physical damage. You can read their reasons for coming to this conclusion, and many other important details about the attack, in the FireEye blog post on TRITON.

While, fortunately, no physical damage or safety incident occurred, this attack represents a step-up in sophisticated ICS cyberattacks.  It is the first known malware targeting SIS, and only the fifth malware known to specifically target ICS (after Stuxnet, Havex / Dragonfly, Blackenergy2/3, and Industroyer / CrashOverride.)

The Threat Actor and the Target Equipment Are Not the Point

Both FireEye and other analysts speculate that the threat actor in this attack is a nation state, but they do not identify a particular one. The reasons for this belief are:

• The target was a critical infrastructure operator.
• The attack did not include a monetary goal.
• The technical resources required, both in terms of cyber security expertise and engineering expertise, were substantial.

The SIS system that was attacked was a Schneider Electric Triconex Safety Instrumented System (hence the malware moniker “TRITON”, also known as “TRISIS”.)  However, the malware was not designed specifically for Triconex, it was designed because the target organization was using Triconex.

Whether or not you think your operation would ever be the target of a nation state, and whether or not you use the Triconex SIS, isn’t the key point.  Rather, since a SIS has been successfully attacked, it’s important to review what happened and evaluate your defenses in light of this incident.

Effective Defenses for TRITON

To defend against TRITON, FireEye and Nozomi Networks recommend these defenses:

• Segregate the safety system network from the process control and information system networks. For example, ISA-99 / IEC 62443 uses the concepts of zones and conduits, where conduits control the flow of data between zones.
• Do not dual-home engineering workstations to any other process control or information system network.
• Use hardware features that provide physical controls. In this case, the Triconex physical key was left in PROGRAM mode. Instead, it should be locked and alerts and a change management process should be in place for changes to the key position.
• Limit data flow from the SIS to applications to unidirectional outbound traffic only.
• Limit data flows from servers or workstations to the SIS using application allowlist and access control measures.
• Monitor ICS traffic for unexpected communication flows and other anomalous activity and investigate promptly.

How Hybrid Threat Detection Would Help

To detect unexpected communication flows and anomalous activity, passive ICS networking monitoring can be used, such as that provided by our Guardian product. And, one aspect of our solution that I am shamelessly calling out here, is its hybrid threat detection capabilities.

Hybrid threat detection means that our solution uses both behavior-based anomaly detection, plus rules-based anomaly detection, and correlates information between the two approaches, to provide rapid threat detection.

In the case of TRITON, Guardian would quickly identify any changes in standard communication behavior. It would also compare traffic with malware signatures provided by Yara rules, and correlate a sequence of alerts into a consolidated incident, helping operators quickly understand an issue.

With TRITON, it’s true that at the time of the initial attack, a Yara rule for it did not exist. Now, however, FireEye has provided a rule, and it is simple to incorporate it into Guardian, as shown below.

Finally, Guardian’s hybrid threat detection also includes a robust Assertion capability. Assertions are custom questions that can be asked of a system and they can also be used to initiate and automate remediation responses. Operations staff can use these for threat hunting, monitoring and remediation that is unique to their installation.

‍

Don’t Ignore Cyber security Best Practices

The TRITON incident reinforces the need for basic and sophisticated controls for ICS environment. On the one hand, it’s disappointing that some basic cyber security controls, such as network segmentation, and using physical defenses, such as the physical Triconex key, were not being used.

It’s also unfortunate that Schneider Electric is being singled out by this landmark incident, when the company is very proactive about ICS cyber security. It seems their own cyber security recommendations were not being followed at the installation in question, and it should be noted that Schneider Electric has “designed- in” cyber security in their newer products.

The reality, however, is that older equipment and legacy networking schemas are in common usage. Asset owners should ask, given your infrastructure today, how can you be proactive about cyber security in the face of an attack such as TRITON? Do you have the controls in place to detect or block such an attack?  Are you ready to rapidly intervene before damage could be done?

Fortunately, in the incident documented by FireEye, no one was hurt, and the Triconex SIS, executed a safe process shutdown. And, kudos to the operator for instigating a professional investigation, which now everyone has the benefit of learning from.

Let’s hope this is the last major ICS cyber security story of 2017. Given the past few Decembers, a thwarted attack on critical infrastructure is a much better way to end the year than learning of a cyber-initiated electric grid outage!

Update August 8, 2018

We have published additional materials on TRITON that may be of interest to you. These include:

1. New TRITON tool: TriStation Protocol Plug-in for Wireshark  (free download)

• Allows an engineer to visually see and comprehend TriStation communications. It also identifies hardware connected to the safety controller and passively detects TRITON activity in network communications.

2. Blog: New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol

• Describes the TriStation Protocol Plug-in for Wireshark

3. New TRITON tool: Triconex Honeypot Tool (free download)

• Helps defense teams simulate SIS controllers on industrial networks, using them like a honeypot to detect reconnaissance scans and capture malicious payloads.

4. Blog: Black Hat: Understanding TRITON, The First SIS Cyber Attack

• Describes the presentation given at Black Hat USA 2018 regarding our TRITON research, including how we used TRITON to implement new programs in the Triconex controller and execute a malicious OT payload.

5. Press Release: Nozomi Networks Researchers Warn We Haven’t Seen the Last of TRITON-Like Attacks

Nozomi Networks Co-founder and Chief Product Officer Andrea Carcanco warned Black Hat conference attendees we likely have not seen the last of TRITON-like attacks.

‍