alphaspirit - Fotolia

Triton framework used in industrial control attacks

Security researchers discovered new ICS attacks using the Triton framework that may have been nation-state-sponsored and intended to cause real-world damage.

Researchers analyzed industrial control system attacks and found malware designed to cause real-world damage and potentially shut down critical infrastructure.

The industrial control system (ICS) attacks that were spotted by FireEye's Mandiant threat research team used what FireEye called the Triton framework, because it targets Triconex Safety Instrumented System (SIS) controllers. FireEye said the Triton framework tool was built with "the ability to read and write programs, read and write individual functions, and query the state of the SIS controller" and targeted systems that "provided emergency shutdown capability for industrial processes." However, the researchers said the aim of the malicious actors went beyond simply shutting down systems.

"The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment," FireEye researchers wrote in a blog post. "While these attempts appear to have failed due [to] one of the attack scripts' conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown."

The researchers said the attackers were well-prepared, noting that the Triton framework tool would have required reverse-engineering the proprietary TriStation protocol, and the attack tool was already built and tested before putting it into use. This "persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation-state actor," researchers said, but no specific nation state was suggested.

Although it is unclear which organization was the target of the Triton framework ICS attacks, some research pointed to a victim in the Middle East. Phil Neray, vice president of industrial cybersecurity at CyberX, based in Framingham, Mass., claimed "Saudi Arabia [was] the likely target of this attack, which would indicate Iran as the likely attacker."

"It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and, more recently, in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat, because now we're talking about critical infrastructure. But it's also a logical next step for the adversary," Neray told SearchSecurity. "Stuxnet and, more recently, Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches."

Mitigating ICS attacks

FireEye and other experts, such as Chris Morales, head of security analytics at Vectra Networks, a cybersecurity company based in San Jose, Calif., suggested attacks like those using the Triton framework could be mitigated if ICS systems are isolated from networks.

"To gain access to the industrial control systems, the threat actor infected an SIS engineering workstation on what is supposed to be an isolated network. Systems and network administrators, third-party vendors, industrial system developers and integrators have different levels of internet access and ICS management access," Morales told SearchSecurity. "And they have unwittingly created a way in for attackers. For example, an infected laptop can be brought in by a contractor, connect to the network and spread to the controlled ICS environment."

Schneider Electric, maker of the Triconex system, said it is investigating the incident and added more security recommendations.

"Ensure the cybersecurity features in Triconex solutions are always enabled. Never leave the front panel key position in the 'Program' mode when not actively configuring the controller," Schneider Electric wrote in an advisory. "And ensure all TriStation terminals, safety controllers and the safety network are isolated from the rest of the plant communication channels."

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing