Triton, BlackEnergy, WannaCry – Has Your Behavior Changed?
Triton, BlackEnergy, WannaCry – Has Your Behavior Changed?

by Gary DiFazio on January 16, 2019

Hopefully the title of this blog has gotten your attention. In one of my prior blogs, ICS Cybersecurity: Visibility, Protective Controls, Continuous Monitoring – Wash, Rinse, Repeat, we talked about how the malicious threat landscape for industrial controls systems is constantly evolving and getting more sophisticated, thereby raising the need to have visibility, implement protective controls and perform continuous monitoring.

In this blog, we will take a more detailed look at the attack vectors of some malware/malicious events like Triton that occurred over the last decade, including some attacks that did not target industrial control systems.

Whether it be ransomware, malware or a targeted attack, each of these vectors need access to the environment. There are many ways for attackers to gain access; these events oftentimes involve phishing, stolen credentials, hijacking/infecting a transient device such as a laptop or USB flash drive or exploiting a vulnerability, etc. to name a few.

While NotPetya and WannaCry had a massive impact on industrial environments in terms of negatively impacting productivity and financial results, these threats did not directly target industrial control system environments. It is still very important to have visibility within your control network to understand if such an event is occurring, and it’s essential to have protective controls in place that can mitigate their spread and potential impact. If we look at malicious behavior that actually compromised an industrial process, the same best practices around visibility, protective controls and continuous monitoring apply; they can help organizations detect malicious activity before the threat actor gains control of your industrial process.

The image shown below outlines the phases of infiltration for a malicious “payload”.