TRITON or TRISIS (detected by Trend Micro as TROJ_TRISIS.A)is a recently discovered malware that was designed to manipulate industrial safety systems and most notably was involved in shutting down an industrial plant’s operations (reportedly in a country in the Middle East). According to reports, no harm was incurred so far by the victim in question as the plant’s system safely shut down. However, the specific technology targeted is widely used in various industries, especially the energy sector, leaving other organizations vulnerable. Also, the system shutdown might have been inadvertently triggered as a result of exploration activity on the side of the attackers to learn how the system worked for future use.
The TRISIS attack marks the first report of attackers directly targeting a safety instrumented system (https://www.automationworld.com/cyber-attack-hits-safety-system-critical-infrastructure). Unsurprisingly, comparisons to Stuxnet dominate the coverage on Triton. But what really is novel here? We lay out in FAQ style what is currently known about the Triton malware, what makes it so newsworthy, and what this could mean for Industrial Control Systems (ICS) security in general.
Two companies released reports covering this malware. One security company discovered ICS-tailored malware in the wild, deployed against at least one victim in the Middle East, as early as mid-November 2017. The malware was described in a report later and named TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS). Another report by a security vendor was released around the same time discussing an incident at an industrial plant involving the same malware family, which they were brought in to handle (). They named the malware “Triton,” also in reference to the Triconex system that it was specifically customized for.
What is SIS, the system type that TRITON/TRISIS is systematically designed for?
Many of the more well-known and high-profile ICS-related attacks of the past few years were related to process control systems such as Supervisory Control and Data Acquisition (SCADA), making SCADA attacks relatively ubiquitous. The TRITON malware, however, for the first time, targets safety controllers — the so-called safety instrumented systems (SIS).
Safety instrumented systems are used to monitor the condition of values and parameters of a plant’s processes within the operational limits. Under risk conditions, they are programmed to trigger alarms and restore the plant to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. These safety controllers have traditionally been separate systems and are supposed to run independently from other equipment in a facility with the sole purpose of monitoring safety. What we know about the scenario at hand is that the Triconex SIS controller had its key switch in “program mode” during the time of the attack, and the SIS was connected to the operations network against standard best practices.
Looking at SIS in general and the information that is publicly available, it seems that whoever planned the attack would have had to have access to a prototype and studied the specific SIS very closely to build a tailor-made exploit for specifically the type of SIS used by the target victim — in this case, Schneider Electric’s Triconex SIS.
How does TRITON work and what can it do?
TRITON/TRISIS is a highly targeted piece of malware. It is not a scalable attack as it has to be modified for each target organization given that every SIS is unique to the organization and industry it is used in. The currently detected variants are specifically built to tamper with Triconex products.
According to the reports, the attacker first gained remote access to the SIS and then deployed TRITON on a Windows-based workstation with the goal of reprogramming the SIS controllers. The engineering and maintenance tool used by Triconex SIS products is TriStation. The TriStation protocol is proprietary and not publicly accessible. TRITON/TRISIS leverages this protocol, which suggests that the attacker reverse-engineered it when developing the malware.
Once the SIS controller has been compromised, the attacker can reprogram the device to deliberately trigger a safe state, resulting in unwanted downtime and financial losses. The opposite would also be possible, enabling a scenario in which attackers could reconfigure the SIS to allow for dangerous parameters without going into the default safe state. This could have dire physical impact on production, the plant itself, and not the least human safety, according to the investigating security firms.
Who is affected?
Current reports indicate that this malware has affected organizations in the Middle East. The same type of safety controllers are widely used in critical infrastructure, very often in energy facilities (oil and gas), and also sometimes in nuclear energy facilities or manufacturing plants. What we can surmise is that this attack suggests that the threat actor likely seems to have an interest in causing a high-impact attack with physical damage, ruling out run-of-the-mill cybercrime groups.
What does this mean for ICS security?
The TRITON/TRISIS malware is widely seen as a relatively significant event in the ICS community, while others are questioning whether that is not overstating reality given the facts at the moment are sparse and the final analysis has not yet been made public. Because of its potential ability to cause physical impact, it is considered the fifth ever ICS-specific-tailored malware and the first one to target SIS in particular — thereby introducing a new component of the ICS threat surface. TRITON/TRISIS is said to be the next in a line of high-profile ICS-targeting malware attacks with very sophisticated objectives. In the coverage about TRITON, it has been compared to other ICS-related malware families such as Stuxnet, as well as Industroyer or BlackEnergy, which affected electricity distribution companies predominantly in the Ukraine.
The targeting of critical infrastructure to disrupt, tamper, or destroy systems is not new but rather consistent with numerous attack and reconnaissance activities carried out by several threat actors globally. TRITON is consistent with these attacks in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence. Now, modern industrial process control and automation systems rely on a variety of sophisticated control systems and safety functions, so the mechanical damage possible via the controller is limited by any mechanical safety systems deployed within the ICS, also known as Operational Technology. Compromising the safety controllers, therefore, does not necessarily mean the compromise of the safety of the system. Nevertheless, TRISIS has to be seen as an expansion of ICS-asset targeting, another avenue for cybercriminals to potentially cause significant harm in an ICS environment. The focus on safety systems definitely seems the novelty here, and though we haven’t seen actual damage yet, the attacker has in a way laid out a blueprint for going after safety systems.
Defense and Mitigation
Mitigation in the event of such a compromise is important. In the course of a compromise, it is easy to find fault in one component. But realistically, an organization, besides covering the basics, would also want to conduct a proper survey of its own specific OT environment. This is not to say that it is not paramount to have best practices in place, especially having a firewall and system segregation, which are supposed to be an integral part of the design as seen in the example of the SIS. Integrated designs might be tempting for the cost they reduce and the convenience they offer, but case studies such as TRISIS repeatedly highlight the high risk of cyberattack engendered.
We have compiled a list of the most important basic defensive strategies for ICS here.