Oil & Gas Cybersecurity and Process Safety Converge Thanks to TRITON

Oil & Gas Cybersecurity and Process Safety Converge Thanks to TRITON

In 2017, a Middle Eastern petrochemical facility had the unfortunate distinction of being the first victim of malware specifically targeted at process safety systems. Thanks to TRITON, the Oil and Gas industry became ground zero for the convergence of SIS process safety and ICS cybersecurity. Suddenly, the relatively obscure world of process safety systems, which had never seriously been considered a cyber vulnerability, were in the spotlight.

Process safety systems are designed to be safe, but not necessarily cyber-secure. The oil and gas industry, from upstream applications such as oilfields and offshore platforms to downstream applications such as refining and petrochemicals have the largest installed base of process safety systems by a wide margin, and thus are most at risk.

The TRITON/TRISIS/HatMan malware incident proved that the worlds of process safety and industrial control systems should be looked at holistically, not just from the standpoint of potential cyber-threats. This requires a unified approach to monitoring control system and process safety assets and applying the large body of knowledge that exists in the process safety domain to the world of ICS cybersecurity.

In the Land of “Undocumented Devices”

Process safety systems are often the last line of defense between an abnormal situation in a refinery or petrochemical plant and a plant incident. Plant incidents can range from the relatively minor to large scale explosions and fires that have claimed hundreds of lives at process plants and their surrounding communities. In the event of an abnormal situation, the safety system trips and either shuts down the plant or brings it to an otherwise safe state.

Process safety controllers have been referred to as “undocumented devices” by those in the cybersecurity community because they typically exist separately from the more common industrial control systems or DCSs that handle the bulk of plant control applications.

Process safety systems aren’t the only systems that fall under this category. There are untold numbers of installed compressor control systems, burner management systems, storage terminal automation systems, and other ancillary systems that exist outside the realm of higher profile ICS systems, all of which control critical applications in industrial plants but have not received much attention when it comes to cybersecurity.

New Tools for a New Generation of Threats

Process safety systems, also known as safety instrumented systems (SIS), are truly systems unto themselves that run in parallel with ICS or distributed control systems.

SISs include their own protocols, specific hardware, engineering workstations and applications, and more. While nation state-sponsored hacking groups have been investing significant resources in reverse engineering and penetrating these systems, end users will have to include these “undocumented” systems and assets as part of their overall cybersecurity strategy. As researchers gain a better understanding of these new forms of malware, new tools will also become available that end users can add to their arsenal.

Nozomi Networks is one supplier that has put a significant amount of research into TRISIS/TRITON/HatMan, and in doing so have also developed some new tools to help end users detect intrusions and threats into process safety systems. These include a TriStation protocol plug-in for Wireshark and a Triconex Honeypot Tool that simulates a real Triconex controller.

Nozomi Networks used a working Triconex infrastructure
Nozomi Networks used a working Triconex infrastructure to demonstrate a successful TRITON OT infection.

The New Face of Cyber Attacks?

The threat of coordinated cyber-attacks on critical infrastructure and manufacturing in the US by hostile nation states is increasing. Just a few months ago, the US Department of Homeland Security identified major hacking groups responsible for recent industry and critical infrastructure attacks as having Russian state sponsorship.

End users in the manufacturing sector, process industries, power generation and T&D, nuclear, water & wastewater, and even building management and smart cities sectors should be up-to-date on the guidance surrounding this threat.

Beyond Safety Systems to True Convergence

The worlds of process safety and cybersecurity are closely intertwined. The recent malware incident, in which a process safety system was attacked by what is most likely a state-sponsored hacking group, provides further impetus to look at these two disciplines holistically. Process safety systems were never immune to the same types of malware and cyber-attacks that plague industrial control systems (ICS), they just weren’t an active target until now.

Cyber vulnerabilities in process safety systems cannot be solved by simply applying cybersecurity products or solutions to these systems. As with process automation systems, cybersecurity must be addressed proactively throughout the lifecycle of the system. The safety and cybersecurity disciplines can learn much from each other. The principles of HAZOP and risk analysis typically performed in the process safety lifecycle, for example, are already being applied to ICS cybersecurity.

What Can You Do?

There are many concrete steps that end users can take today to strengthen security across both process safety systems and the entire industrial control system infrastructure. Like process safety, ICS cybersecurity should be approached from a lifecycle perspective. Some of these steps may be as simple as enforcing proper procedure with safety system configuration and engineering, such as ensuring that cabinets are locked and manual key switches on safety logic solvers are locked when not in programming mode.

Other steps include using the right tools and applications to monitor and detect cyber-attacks. The landscape of “undocumented devices” must become documented, and systems and networks associated with process safety and other applications that have not historically been considered part of the ICS cybersecurity landscape must be included.