While malware attacks, in general, are a part of everyday life for traditional IT assets, the increase in targeting of OT assets—specifically in critical infrastructure—is deeply concerning.
Last week FireEye® released a blogpost around recently discovered malware, dubbed TRITON. TRITON malware was discovered during forensic analysis of an incident involving the failure of a critical infrastructure system. Here’s a quick recap of the incident:
- The target was an undisclosed critical infrastructure system in the Middle East
- The attack was carried out over the Internet
- The malware entry point was an engineering workstation
- The malware targeted a specific industrial control system (ICS) component – Schneider Electric Triconex Safety Instrumented System (SIS), which was left in ‘program’ mode
- The Triton malware’s execution caused an error on the SIS controller which triggered a system shutdown
- Analysis of the attack suggests the goal of the Triton malware was to cause actual physical damage to the ICS asset, and that the ‘safe’ shutdown of the system was inadvertent
Notable OT attacks over the years have included Stuxnet, Dragonfly/Havex, BlackEnergy, CrashOverride. Where attacks on traditional IT assets are usually motivated by financial gain, espionage or hacktivism, attacks on critical infrastructure carry the very real possibility of endangering public safety.
The legacy approach to securing OT assets has been to isolate them through airgaps, a practice of removing assets’ outbound Internet connectivity. However, today’s connected world makes this approach increasingly difficult. A more holistic approach is required, migrating from an assumed airgap to more robust network segmentation combined with a set of hygiene-based security controls, very similar to common IT security controls, but tailored specifically for OT. The NIST 800-82 Guide to Industrial Control Systems (ICS) Security is a great example of this holistic approach.
Specific to the recently publicized attack, there were several issues that allowed the TRITON malware to be successful:
- Deficiency #1: The safety systems were connected to the Internet. Even now, as OT assets are more connected than ever before, the safety systems are never supposed to be externally accessible. These systems are designed to prevent physical harm and should be treated with the highest criticality.
- Deficiency #2: The engineering workstation had a high likelihood of vulnerabilities. I’m making an assumption on this, but it’s a relatively safe assumption. These engineering workstations are typically running standard Windows operating systems, but are usually excluded from standard OS hygiene due to the typical airgap approach.
- Deficiency #3: The SIS controller was left in ‘program’ mode. A safeguard built into the controller requires a physical key to be inserted and turned to ‘program’ mode before configurations can be made. This particular controller was left in ‘program’ mode, allowing the attackers to bypass the physical security lock.
Issues like these are not uncommon in OT environments and airgaps are no longer acceptable for broad-stroke remediation. The complexity of actually solving this issue is a major influencer driving the convergence of IT and OT. Issues like these are foreign to most OT operators, so it only makes sense to loop in IT resources that have been solving similar issues decades. The threat is real, airgaps are going away, and solving for malware like TRITON is going to take the whole team.
ForeScout has a focus on Security for IT and OT and is my concentration every day with Ryan Brichant, ForeScout’s CTO ICS/OT Security. If there are specific questions on best practices to guard against attacks in converged IT and OT scenarios, perhaps we can solve these issues together.
For more information on ForeScout’s approach to securing OT environments, view our Operation Technology Solution Brief.
Sources for the article:
Schneider Electric: https://www.schneider-electric.com/en/download/document/SEVD-2017-347-01/