TRITON/TRISIS Malware and the IIoT

Greetings and welcome back.  This week, we look at a major topic in the news: TRITON/TRISIS Malware and the IIoT (Industrial Internet of Things.  To begin with, we would direct you to an excellent article on the subject by Kelly Jackson Higgins on DarkReading.com.  This provides a detailed view of this very significant piece of Malware and we believe it is must reading for all who could be affected.  We will attempt to provide a Quick Start look at this Malware in this blog and will plan to follow up as things develop.

What is TRITON/TRISIS?

It is a targeted Malware that can allow the user to take control of a Tricon Safety Instrumented Systems (SIS) device made by Schneider Electric.  SIS systems are used primarily in process industries to act as a safety traffic cop against certain dangerous situations.  An example would be to open a pressure relief valve when pressure in a pipe becomes too high or to turn-on an emergency cooling system when temperature in a process becomes too high.  SIS systems use realtime feedback from instruments placed at appropriate locations within a processing facility for the purpose of avoiding a disaster if some process moves out of normal parameters.

The TRITON Malware was built to specifically target the Schneider Electric Triconex SIS controller unit.  It was written with deep-knowledge of how the firmware and software for this system works but, It is unclear as to what the ultimate goal of TRITON was because it ultimately failed to execute a control command on the unit.  To put it simply, the Malware had the Triconex controller in its grasp but, it failed to actually harm it.

Because SIS systems are networked and, at some point, that network most always touches the Internet, all SIS systems are ultimately a part of the Industrial Internet of Things (IIoT).  Unfortunately, as the graphic below demonstrates, while the majority of companies see IIoT systems as security risks, the majority believe they are not devoting the necessary resources to address the problem.

TRITON/TRISIS Malware and the IIoT

In the first known case of an attack on a process facility, a problem was ultimately detected thanks to a FireEye security system and, the Malware at this particular site has apparently been neutralized.  Thanks to the openness of Schneider Electric to bring this issue to public attention, users have the ability to be informed and to begin the process of adequately securing their SIS systems.  Therefore, SIS system users must begin the process of learning and preparing to ward-off potential attacks.

Who is potentially effected by TRITON/TRISIS?

Any organization that uses SIS systems is potentially effected.  This includes at least the following industry sites:

  • Power Plants
  • Oil and Gas Refineries
  • Chemical Plants
  • Pharmaceutical Plants
  • Water Treatment and Water Distribution Facilities
  • Electronics Manufacturing
  • Food Processing

These industries, as a whole, employ millions of individuals and contribute literally Trillions of Dollars in GDP each year.  Because of this, a Malware attack that targets one or more organizations could harm large numbers of people and could also cause major economic damage.  Because the Malware has such an enormous potential for harm, all organizations who are in these industries must take note and begin to prepare against the real potential of a cyberattack against them.

What is the future for TRITON/TRISIS Attacks?

This is a serious issue because the Malware itself was unfortunately released onto a public website and, from there, has been spreading rapidly.  Because of this, the well-developed code base is available to be used and perfected by just about any hacker or cyber criminal organization.  Just like Stuxnet was developed by a highly sophisticated organization to target Siemens centrifuges in Iran but, then was released onto the Internet and used for other attacks, so too TRITON can now be used to target Triconex controllers around the globe.

What can be done to protect a plant from harm?

First and foremost, realize that cyber threats against your organization are very real.  Either a nation-state or a cyber criminal organization with vast resources spent enormous efforts to develop this Malware.  The fact that it only managed to cause a plant to be shut down and not destroyed only shows that this was a trial run.  The next time, a victim is not likely to be so fortunate.

Second, realize that the Industrial Internet of Things is every device that is connected to your network and that, at some point, your network comes in contact with the Internet.  Because of this, every system that is connected to your network is a potential target.  Clearly, the user who was attacked by this first trial-balloon of TRISIS had a well-developed perimeter firewall system but, the attacker was able to penetrate it an load their Malware on the target SIS device.

Third, and most importantly, please understand that the old adage: “An ounce of prevention is worth a pound of cure” is very true for cybersecurity.  If you believe that you can put-off spending the resources to build an air-tight defense, you are likely to end up paying a very high price.  Further, because this is a critical safety issue, we are talking about human lives, not just money.

As practical steps, plants shoud begin to take the following steps:

  • Isolate each SIS system from your other networks
  • If your SIS controllers are self-contained (i.e. – they need no outside software to operate) then consider placing a data diode in front of each system to eliminate the possibility of an outside-in attack
  • If your SIS controllers required outside software for control commands, place a high-end firewall in front of the software system

Please think about these things and, if you would like to have a confidential discussion about your system’s security, please feel free to give us a call.  We’re happy to help.

Until next time,

Be Well!