In 2017, a Middle Eastern petrochemical facility had the unfortunate distinction of being the first known victim of malware specifically targeted at process safety systems. Thanks to TRITON, the oil and gas industry became ground zero for the convergence of SIS process safety and ICS cybersecurity. Suddenly, the relatively obscure world of process safety systems, which had never seriously been considered a cyber vulnerability, was in the spotlight.

Process safety systems are designed to be safe, but not necessarily cyber-secure. The oil and gas industry, from upstream applications, such as oilfields and offshore platforms, to downstream applications, such as refining and petrochemicals, have the largest installed base of process safety systems by a wide margin, and thus are most at risk.

The TRITON/TRISIS/HatMan malware incident proved that the worlds of process safety and industrial control systems should be looked at holistically, not just from the standpoint of potential cyber-threats. This requires a unified approach to monitoring control system and process safety assets and applying the large body of knowledge that exists in the process safety domain to the world of ICS cybersecurity.

Securing-SIS-Nozomi-Networks

Thanks to TRITON, the Oil and Gas industry became ground zero for the convergence of SIS process safety and ICS cybersecurity.

In the Land of “Undocumented Devices”

Process safety systems are often the last line of defense between an abnormal situation in a refinery or petrochemical plant and a plant incident. Plant incidents can range from the relatively minor to large-scale explosions and fires that have claimed hundreds of lives at process plants and their surrounding communities. In the event of an abnormal situation, the safety system trips and either shuts down the plant, or brings it to an otherwise safe state.

The cybersecurity community frequently refers to process safety controllers as “undocumented devices” because they typically exist separately from the more common industrial control or distributed control systems that handle the bulk of plant control applications.

Process safety systems aren’t the only systems that fall under this category. There are untold numbers of installed compressor control systems, burner management systems, storage terminal automation systems, and other ancillary systems that exist outside the realm of higher profile ICS systems. All of these control critical applications in industrial plants, but have not received much attention when it comes to cybersecurity.

New Tools for a New Generation of Threats

Process safety systems, also known as safety instrumented systems (SIS), are truly unto themselves and run in parallel with ICS or distributed control systems.

SISs include their own protocols, specific hardware, engineering workstations and applications, and more. While nation-state-sponsored hacking groups have been investing significant resources in reverse engineering and penetrating these systems, end users will have to include these “undocumented” systems and assets as part of their overall cybersecurity strategy. As researchers gain a better understanding of these new forms of malware, end users will have new tools to add to their arsenal.

Nozomi Networks is one supplier that has put a significant amount of research into TRISIS/TRITON/HatMan, and in doing so has developed new tools to help end users detect intrusions and threats into process safety systems. These include a TriStation protocol plug-in for Wireshark and a Triconex Honeypot Tool that simulates a real Triconex controller.

Nozomi-Networks-used-working-Triconex-infrastructure-to-demonstrate-successful-TRITON-OT-infection

 

 

Nozomi Networks used a working Triconex infrastructure to demonstrate a successful TRITON OT infection.

The New Face of Cyber-Attacks?

The threat of coordinated cyber-attacks on critical infrastructure and manufacturing in the US by hostile nation-states is increasing. Just a few months ago, the US Department of Homeland Security identified major hacking groups responsible for recent industry and critical infrastructure attacks as having Russian state sponsorship. 

End users in the manufacturing sector, process industries, power generation and T&D, nuclear, water & wastewater, and even building management and smart cities sectors, should be up-to-date on the guidance surrounding this threat. Because of the possible wide-ranging impact of an incident, new approaches and collaboration between end users, automation suppliers, security vendors and the entire industrial community, is essential to address threats targeting industrial assets. 

Beyond Safety Systems to True Convergence

The worlds of process safety and cybersecurity are closely intertwined. The recent malware incident, in which a process safety system was attacked by what is most likely a state-sponsored hacking group, provides further impetus to look at these two disciplines holistically. Process safety systems were never immune to the same types of malware and cyber-attacks that plague industrial control systems (ICS); they just weren’t an active target until now.

Cyber vulnerabilities in process safety systems cannot be solved by simply applying cybersecurity products or solutions to these systems. As with process automation systems, cybersecurity must be addressed proactively throughout the lifecycle of the system. The safety and cybersecurity disciplines can learn much from each other. The principles of HAZOP and risk analysis typically performed in the process safety lifecycle, for example, are already being applied to ICS cybersecurity. 

What Can You Do?

End users can already take many concrete steps to strengthen security across both process safety systems and the entire industrial control system infrastructure. Like process safety, ICS cybersecurity should be approached from a lifecycle perspective. Some of these steps may be as simple as enforcing proper procedure with safety system configuration and engineering, such as ensuring that cabinets are locked and manual key switches on safety logic solvers are locked when not in programming mode.  

Other steps include using the right tools and applications to monitor and detect cyber-attacks. The landscape of “undocumented devices” must become documented, and systems and networks associated with process safety and other applications that have not historically been considered part of the ICS cybersecurity landscape must be included. 

Finally, end-users aren’t alone in this fight. They can look to industry organizations and initiatives that bring together all the players in the community including automation suppliers, security vendors, and industry experts to share information and best practices. The battle to secure industrial assets is now on, and the entire industrial community, working together, can substantially reduce risks and improve both reliance and safety.

Related Content to Download

RESEARCH PAPER

TRITON: The First ICS Cyber Attack on Safety Instrument Systems
Understanding the Malware, Its Communications and Its OT Payload

Read this paper to learn:

  • The innovative approach taken to reverse engineering TRITON
  • How our team obtained the engineering toolset and controller
  • The research findings, including undocumented users
  • How two new tools help defend against TRITON
  • How TRITON can be used to compromise SIS
  • What TRITON means for securing ICS

no registration required

Share This