Since Stuxnet first targeted and destroyed uranium enrichment centrifuges in Iran last decade, the cybersecurity world has waited for the next step in that digital arms race.
Another piece of malicious software designed specifically to enable the damage or destruction of industrial equipment. That rare type of malware has now reappeared in the the Middle East. And this time, it seems to have the express intention of disabling the industrial safety systems that protect human life.
Security firm FireEye today has revealed the existence of Triton, also known as Trisis, a family of malware built to compromise industrial control systems. Although it’s not clear in what kind of industrial facility—or even what country—the sophisticated malware appeared, it targets equipment that’s sold by Schneider Electric, often used in oil and gas facilities, though also sometimes in nuclear energy facilities or manufacturing plants. Specifically, the Triton malware is designed to tamper with or even disable Schneider’s Triconex products, which are known as “safety-instrumented systems,” as well as “distributed control systems,” made by a separate company, used by human operators to monitor industrial processes.
SIS components are built to run independently from other equipment in a facility and monitor potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents or sabotage. By obtaining a foothold in the DCS, hackers could use Triton create a situation that might cause physical harm, or an explosion or a leak. And because Triton’s code also contains the express ability to disable Triconex safety measures, the failsafes that exist to shut down equipment in those situations would be unable to respond. That makes for a dangerous new escalation of hacker tactics that target critical infrastructure.
“[FireEye subsidiary] Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems,” FireEye’s report on its new malware finding reads. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations.”
Triton acts as a “payload” after hackers have already gained deep access to a facility’s network, says Rob Lee, the founder of security firm Dragos Inc. Lee says Dragos observed the malware operating in the Middle East about a month ago, and had since been quietly analyzing it, before FireEye revealed its existence publicly. When Triton is installed in an industrial control system, the code looks for Schneider’s Triconex equipment, confirms that it can connect to it, and then begins injecting new commands into its operations. If those commands aren’t accepted by the Triconex components, it can crash the safety system. In an emailed statement, Schneider Electric counters that “in this case those commands were accepted successfully by the Triconex components, and the plant was shut down safely.”
Since Triconex systems are designed to “fail safe,” that would lead to other systems turning off as a safety measure, disrupting a plant’s operations. “If the safety system goes down, all other systems grind to a halt,” Lee says.