Security researchers have come across new malware designed to infect specialized safety controllers used in industrial infrastructure, in what is believed to be a well-funded nation state attack.
The malware framework was recovered by FireEye’s Mandiant incident response team while investigating an emergency shutdown event at a critical infrastructure organization. The team believes that Triton, which can reprogram Triconex safety instrumented system (SIS) controllers, caused a failed validation check between redundant units, which forced an industrial process into a failed safe state.
“We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage,” the researchers said in a blog post. “FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state. The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.”
Triton is a rare piece of malware that, like the infamous Stuxnet worm which sabotaged Iran’s nuclear program, is capable of reprogramming industrial controllers. Other malware has been found in the infrastructure of industrial operators since Stuxnet, especially in their IT environments, but those programs were mainly used for cyberespionage.
A SIS is an autonomous system made up of specialized hardware controllers that monitor an industrial process by receiving information from sensors and actuators. The controllers execute code known as control logic that automatically brings a monitored process back into a safe state or shuts it down if certain parameters are exceeded.
The SIS theoretically is separate from and a failback to the distributed control system (DCS), a computerized system made up of software applications and controllers that allow operators to monitor physical industrial processes from an engineering workstation. In the past decade, the SIS and DCS environments have become increasingly integrated for ease of use and cost savings.
“We assess with moderate confidence that the attacker’s long-term objective was to develop the capability to cause a physical consequence,” the FireEye researchers said. “We base this on the fact that the attacker initially obtained a reliable foothold on the DCS and could have developed the capability to manipulate the process or shut down the plant, but instead proceeded to compromise the SIS system. Compromising both the DCS and SIS system would enable the attacker to develop and carry out an attack that causes the maximum amount of damage allowed by the physical and mechanical safeguards in place.”
The Triton malware runs on Windows, but was designed to interact with Triconex SIS controllers through an undocumented proprietary protocol that’s used by the legitimate TriStation software application. This means the attackers had access to specialized hardware and software that’s not widely available, which allowed them to reverse-engineer the protocol.
They also likely performed advanced reconnaissance on their victim, which FireEye hasn’t identified, because they knew it was using Triconex SIS controllers.
The attackers could have simply used Triton to shut down a process by issuing a halt command or by uploading flawed code to the SIS controllers. Instead, the attempted to write functional control logic that they hoped would remain undetected, which suggests they had a longer-term goal.
“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S. and Israeli nation state actors,” the FireEye researchers said. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”
According to FireEye, to limit the threat to their control systems, industrial infrastructure operators should take a few actions:
- Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network.
- Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events.
- Implement change management procedures for changes to key position. Audit current key state regularly.
- Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
- Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP.
- Monitor ICS network traffic for unexpected communication flows and other anomalous activity.