Nozomi Networks Researchers Warn We Haven’t Seen the Last of TRITON-Like Attacks

Live recreation at Black Hat raises new concerns around the possibility of future attacks

LAS VEGAS, AUGUST 8, 2018 — Today Nozomi Networks Co-founder and Chief Product Officer Andrea Carcanco warned Black Hat conference attendees we likely have not seen the last of TRITON-like attacks. During a live recreation of the industry’s first direct attack on an industrial safety system, he showed the TRITON malware creation may have been much easier to achieve than originally thought and shared new tools to help in the fight against TRITON. Carcano urged the community to unite on more aggressive efforts to address security gaps in critical operational networks.

“TRITON failed. However, now, with a deeper understanding of the attack, we believe the effort, skills and financial resources needed to create the Triton malware were not as high as originally thought. We also know the attacker could have just as easily succeeded in injecting the final payload,” Carcano said. “This realization, combined with the knowledge that a growing number of hackers have critical infrastructure in their sights, we as a community must move quickly on all fronts to strengthen the cyber security culture for the entire industry.”

In a live demo today at Black Hat, Carcano and researchers from Nozomi Networks Inc., the leader in real-time cyber security and operational visibility for industrial control systems (ICS), showed how TRITON, the most recent and arguably one of the most sophisticated attacks seen against an ICS to date, was developed, why the attack failed and what anyone seeking to secure critical infrastructure can do to help keep it safe. The team’s findings are detailed in a whitepaper released today, which includes:

• How the attack was executed, and why developing the TRITON malware may have been easier than previously believed
• Information about new paths adversaries are taking to access the attack tools
• New guidelines and tools to help protect against TRITON and similar attacks

First reported in December 2017, the TRITON attack against a petrochemical processing plant in the Middle East had the potential to compromise the facility’s Triconex Safety Instrumented System (SIS) from Schneider Electric. Fortunately, the Tricon system detected an anomaly and behaved as it was supposed to by taking the plant to a safe state via a shutdown. TRITON is considered a milestone industrial cyber-attack because it was the first to directly interact with, and control a safety system, raising the risk that a cyberattack could lead to unpredictable and dangerous plant outcomes, without the protection of a last line of safety defense.

“It’s important to recognize that Triton-type attacks can be made against any industrial control and safety system anywhere in the world, no matter who designed, engineered, built or operates it,” said Nathalie Marcotte, Senior Vice President, Industry Services and Cybersecurity, Schneider Electric. “No single entity can solve this global issue; rather, end users, third-party suppliers, integrators, standards bodies, industry groups and government agencies  must work together to help the global manufacturing industry withstand cyberattacks and protect the world’s most critical operations and the people and communities we all serve. Through its research, knowledge sharing and malware-detection tools, Nozomi Networks is heeding this call to action.”

‍