https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty images

Trisis Malware Discovered at Additional Industrial Facility

Trisis, reportedly the world’s most dangerous malware, has hit at least two facilities in the Middle East.
  • Written by Brian Buntz
  • 11th April 2019

When cybersecurity researchers at Dragos and FireEye disclosed the so-called Triton malware targeting industrial safety systems, it was something of a revelation. Triton marked the first discovery of malware intended to cause physical destruction. The code did so by targeting an industrial safety instrumented system, but was, thankfully, not effective in causing disaster.

The attack, also known as “Trisis,” was shrouded in mystery until recently. Early reports of the attack were vague. A nation-state actor was likely behind the attack, which struck somewhere in the Middle East. But Triton also served as something of a wake-up call because of its potential to cause massive destruction in the form of an emergency at an oil and gas plant.

“I was in the Middle East about a week or so before Triton hit,” recalled Jason Haward-Grau, CISO for PAS Global. In a conversation, Haward-Grau asked a security director at the oil company there how he felt about the level of cybersecurity at the company. “Well, he told me he didn’t need to worry about anything. I thought: ‘Wow, you’re the only person I’ve met in cybersecurity who doesn’t worry. I don’t stop worrying. I can’t sleep,’” Haward-Grau continued. The Middle East–based cybersecurity professional went on to rattle off the reasons why he could sleep well at night: “We’re air-gapped. We’ve got data diodes. And if all goes wrong, we’ve got an SIS system,” said the security director, referring to the safety instrumented system, which is designed to enable a critical industrial operation to fail safely and gracefully in the event of an emergency.

[Internet of Things World is the intersection of industries and IoT innovation. Book your conference pass and save $350, get a free expo pass or see the IoT security speakers at the event.]

One week later, Trisis hit, which prompted the cybersecurity professional to call Haward-Grau. “He rang me and said: ‘Listen, you know, how I said we had three central approaches in place for cybersecurity. I’m a little bit nervous now that we may not have all three.’”

While Trisis set shock waves through the field of industrial cybersecurity in the months after it was uncovered, details surrounding the malware were sparse. Now, a clearer picture is emerging of the attack. The cybersecurity firm FireEye confirmed on April 10  it discovered an additional attack at a separate critical infrastructure facility. Last year, the cybersecurity company also announced it believed the attack has Russian roots.  

“For most owners and operators, it doesn’t matter if Russia was behind it, or a hacktivist group,” said Emily S. Miller, director of national security and critical infrastructure programs at Mocana. “What matters is can they cause bad things to happen. And when it comes to critical infrastructure, that means loss of life.”

FireEye has developed a clearer picture of the mechanics of Triton, which leveraged dozens of commodity and custom intrusion tools. For instance, SecHack was used for credential harvesting while Cryptcat, Bitvise, OpenSSH and PLINK created backdoors. Custom tools likely helped attackers skirt cybersecurity protections.

The impact of a successful attack on a SIS target could be significant. “A bad actor can shut down a process [intended to safeguard an industrial facility in an emergency] by manipulating the configuration of a safety system,” said Eddie Habibi, chief executive officer of PAS Global in an email statement. “However, the real danger lies in if the attacker infiltrates other ICS systems within the same facility as the safety system,” he continued. If that happens, an adversary can lay the groundwork for a disaster by modifying industrial processes to exceed safe operating limits, potentially causing physical destruction, injuries and death, and pollution. In the facility where the malware was first identified, Triton could have interfered with the functioning of a burner management system, potentially triggering the release of hydrogen sulfide gas.

Triton, which targeted equipment from Schneider Electric, could also inspire copycat attacks that aim not to just steal sensitive data, but also cause physical destruction and possible loss of life. “I think we have seen the catalyzation of similar attacks,” Miller said. And the attack provides not just a blueprint for attacks on the oil-and-gas sector, which was purportedly targeted in the first announced Trisis attack, but any type of critical infrastructure including building automation systems. “Look at Black Energy,” Miller said, referring to the malware that played a role in shutting down part of the power grid in Ukraine. “When it hit, it was totally new and novel. Now, it is something you can purchase on the dark web.” The adversaries who develop such dangerous attacks could share their tactics with like-minded hackers online, similar to cooks sapping recipes online, Miller said.

The potential for further nation-state backing of such attacks is also troubling. “With the current generation of operational technology (OT) systems, an unmitigated cybersecurity issue is an unmitigated safety issue,” said John Sheehy, vice president of strategic services at IOActive in an email statement. Schneider has since launched an educational campaign to transform Triton into a “call to action” for the industry, Andrew Kling, director of cybersecurity and system architecture at Schneider Electric, said in an interview last year.

FireEye researchers believe that nation-states could be ramping up such malware to support contingency operations rather than launch immediately destructive attacks. Setting up and potentially orchestrating an attack like Trisis likely requires years of planning and time investment from threat actors, who work to ensure they have continued access to their target’s environment. The FireEye research team believes it took nearly a year for the adversary to expand access from their target’s network to a SIS engineering workstation. In the meantime, the attacker carefully worked to hide their tracks, for instance, renaming executable malware files to look like Microsoft update files. FireEye believes the attackers behind Trisis have been active since at least 2014.

John Sheehy, vice president of strategic services at IOActive and Miller a said the Triton malware should also serve as an impetus to bake holistic cybersecurity protections into industrial environments, rather than focusing predominantly on defensive measures such as network monitoring and threat hunting. Sheehy also stressed the importance of building physical safety protections into industrial environments that would could help mitigate a successful safety-oriented cyberattack. “Where possible, designers should use orthogonal safety controls, such as mechanical pressure relief valves or mechanical governors, that have zero coincidence with the control systems and therefore cannot be affected by them,” Sheehy said. “Today’s OT implementations should focus on managing the consequences of a cybersecurity attack through layered protections and mitigations using non-cybersecurity engineering controls. This should be done with a focus on providing operational resiliency to the process and overall operations.”

“Let’s get to the root cause of the impact here: we need to harden and embed security into these ICS devices from the beginning,” Miller said in an email statement. “Until we do that, we’ll continue leaving ourselves like sitting ducks for even more critical infrastructure attacks such as this one.”

 

Tags: IIoT/Manufacturing Security News Features

Related


  • IoT App Development Gets Agility Boost From Container Technologies
    IoT app development has clamored for greater agility, productivity and security. Container technologies can realize those benefits.
  • Image shows a digital background depicting innovative technologies in security systems,
    Securing IoT Devices With Zero Trust Requires Mindset Shift
    Zero-trust approaches require a shift in mindset to ensure IoT devices have rigorous security policies applied — and the work is never done, say IT pros.
  • IoT World Announces In-Person 2021 Event
    IoT World 2021 will take place November 2-4, 2021, will co-locate with AI Summit Silicon Valley, to showcase the next wave of secure connected environments through the intelligence of things.
  • Mixed picture
    IoT Spending Is a Mixed Picture in 2020
    While COVID-19 has forced budget cuts for some organizations, the pandemic has also driven IoT spending increases for others.  

One comment

  1. Avatar William Hathaway 20th April 2019 @ 1:26 pm
    Reply

    sounds like what happened in Texas

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Adoption of the Internet of Robotics Things Accelerates
  • Building a Foundation for AI in Cybersecurity
  • COVID-19 Poised to Build a Robotic Ecosystem
  • Electric Grid Stability Assailed by Growing Challenges

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

Smart Manufacturing With IoT

4th December 2020

Ensuring Safety & Security of Pharmaceutical Supply Chain: A Case Study

4th December 2020

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Real Cyber Threats and Best Practices Cyber Security Strategy and Solutions for Smart Manufacturing

1st December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

#Supplychain analytics, #digitaltwins and other tools are key to predicting COVID-19-style disruption in the supply… twitter.com/i/web/status/1…

18th January 2021
IoTWorldToday, IoTWorldSeries

At #CES2021, @verizon touts #5Gconnectivit as the key to digitization in pandemic times. But experts say there are… twitter.com/i/web/status/1…

12th January 2021
IoTWorldToday, IoTWorldSeries

The #privateLTE market is due to grown, given increased needs for #networkperformance and #networkbandwidth.… twitter.com/i/web/status/1…

12th January 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X