“Really knowing is good. Not knowing, or refusing to know, is bad, or amoral, at least. You can’t act if you don’t know. Acting without knowing takes you right off the cliff.”
― Ray Bradbury, Something Wicked This Way Comes
Read an article about recent evidence that Triton/Trisis or something similar to it may have come back to haunt industrial control system practitioners[1]. If you recall this was the malware that caused an unplanned shutdown of a petrochemical plant (oil and gas refinery)[2] in Saudi Arabia in 2017. Its targets were the safety instrumented systems made by Schneider Electric (Triconex) and apparently succeeded in reprograming some of the control code of the SIS. However the safety systems later sensed something wrong and executed the automated plant shutdown procedure bringing the plant back to safe state as the SIS was designed to do. However it may have been a close call for it may not have been the intention of the attackers to just shut down the plant. There may have been plans to do something worse in the future. Worse for a petrochemical plant means damage, killing people, and leaving the surrounding environment in a toxic state which will extend the time of recovery and clean-up[3].
The article contained one unsettling revelation which should raise ICS practitioner’s concerns. Especially the OT professionals who place faith in the security of segmented (non-internet connected) OT networks and are *still* using unsupported legacy windows and proprietary OS control device boxes. The same ones who also consider patching OT to be an “unacceptable industrial risk”. The fact that the petrochemical facility may have been first compromised as far back as 2014 before discovery due to an unplanned shutdown in 2017 should be cause for a sleepless night or two for the thoughtful ICS security practitioner[4].
The adversary is perhaps sleeping more soundly by substituting patience and skill for worry. This is characteristic of the Advanced Persistent Threat (APT). The team of cyber James Bond’s who have the “license to kill”, state backed resources, intelligence gathering assets and a “Q” to solve any encountered technical barriers. The APT that penetrated and compromised the Saudi plant in 2014 took the time to expand their presence, acquire administrator rights and knowledge of targeted systems to develop avenue of attack. One that thankfully was accidently blocked by some coding mistake before something worse could happen.
The article has one other conclusion to share. Unlike the Stuxnet operation the Triton group showed little evidence of seeking precision in choice of target or in minimizing collateral damage. In targeting SIS they showed a disregard for causing damage and even causing loss of life[5]. If this is the case then the stakes have been significantly raised.
Some lessons learned that become clear (or perhaps are
further reinforced) from these findings is that the OT practitioner needs to
have some capability to monitor the health of their devices and “see” what is really
going on in their control networks. Someone or some new unit needs to be on watch
looking for process anomalies and other signs of something wrong. Some call
this a Security Operations Center (SOC).
It would be one way to insure some capability to protect the legacy
Windows OS and unpatched control system devices. The bottom line is that without some countervailing
policy to make up for carrying the risk of continuing to operate unpatched
systems, in the current cyber threat environment, any breach could lead to “game
over”. In other words if the software is
the same as it was when first taken out of the box, all exploits that have been
developed in the intervening years of operation could theoretically work. Just
need to get access to the system and that capability has been demonstrated to
exist by Triton (Stuxnet, BlackEnergy, Regin, German Steel Mill attack, Ukraine
TSO, etc and etc.).
It is hard to gauge how serious the threat is considering
all the industrial operations out there. However, after seeing a 3rd site with
the same legacy OS and non-patching policy in the past few months, this
particular threat can no longer be denied out of hand.
[1] Giles, M., “Triton is the world’s most murderous malware, and it’s spreading”, MIT Technology Review March 5, 2019, https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/
[2] Hand, A., “Triton Gone Wild”, Automation world, January 26, 2018, https://www.automationworld.com/triton-gone-wild
[3] If you want to read what a successful sabotage of oil and gas refinery could look like, the book to read is by former CIA Middle East analyst Robert Baer. “Sleeping with the devil”, Three Rivers Press, N.Y. 2003 pp. xix-xxiii.
[4] Giles, M., “Triton is the world’s most murderous malware, and it’s spreading”, MIT Technology Review March 5, 2019, https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware
[5] Ibid
