A look at the Triton attack

In December 2017, the world found out about a sophisticated attack on the control systems of an LNG plant, known as ‘TRITON’.

The attack caused the entire operation to shut down and is one of the many examples in recent years of malicious software designed specifically to target industrial equipment.

In the decade since the infamous Stuxnet malware destroyed many centrifuges of an Iranian uranium plant, numerous attacks against many critical infrastructure sectors have been discovered with the intent to cause damage and destruction.

This relatively new malware variant targeted the Triconex Safety Instrumented System, otherwise known as SIS controllers. These SIS controllers, made by Schneider Electric, operate on over 11,000 sites around the world, and are responsible for the automated emergency shutdown functions in the case of a situation which may threaten the safety and lives of plant personnel.

It is concerning that the Triton malware payload was deployed long after the attackers had gained in depth access to the plants network, with reports saying they had been sitting on the network for up to 9 months before the SIS controllers were reprogrammed. Given this attack was ultimately deemed to be unsuccessful due to a single coding error by the attackers, it does raise concerns about how much damage could be caused when an attack is successful.

Furthermore, Security Week reports that Triton malware is still active today and the group behind its creation have expanded their scope, now reaching far outside of the Middle East for their next target.

So how did the attack succeed and what can be done to stop it from happening again?

After the Triton attack was published, Schneider discovered a zero-day vulnerability in its Triconex SIS which enabled the cyber criminals to gain access to, and change, the programming of the SIS controllers. FireEye reports they found a Remote Access Trojan (RAT) in the Triton malware which they believe to be the first RAT ever known to have infected SIS equipment.

In addition, it appears that the remote access and remote control of the SIS devices was achieved because the physical key on the controllers was left in the ‘program’ state, thereby allowing the remote programming of the main controller and the subsequent re-programming of the SIS controllers that caused such damage.

In an Operational Technology (OT) network, the availability of systems, especially those relating to safety, is typically a top priority, taking precedence over protection of confidentiality and integrity. The problem for many industries operating large plants is the growing complexity of their networks and lack of network wide visibility across all of their systems.

Many understand a problem exists but simply don’t know where to start in creating risk management procedures, building network resilience and maintaining a secure network.

What is clear is that as attacks become more frequent, the likelihood of a catastrophic outcome increases also. Organisations need to take action now to ensure lives are not lost and they are not tomorrow’s headline.

Sapien offers a sophisticated solution to address the complexity found within commercial, industrial and government owned assets. Read more on how our system of systems’ design offers our clients unprecedented visibility across your enterprise network and a complete solution in identifying threats, preparing for new attacks, and shielding your systems from advanced cyber criminals.