That “Something wicked this way comes” is back again.

“Really knowing is good. Not knowing, or refusing to know, is bad, or amoral, at least. You can’t act if you don’t know. Acting without knowing takes you right off the cliff.”
Ray Bradbury, Something Wicked This Way Comes

What viewing aid will allow us to “see” dangerous anomalies in our systems?

Read an article about recent evidence that Triton/Trisis or something similar to it may have come back to haunt industrial control system practitioners[1].  If you recall this was the malware that caused an unplanned shutdown of a petrochemical plant (oil and gas refinery)[2] in Saudi Arabia in 2017. Its targets were the safety instrumented systems made by Schneider Electric (Triconex) and apparently succeeded in reprograming some of the control code of the SIS. However the safety systems later sensed something wrong and executed the automated plant shutdown procedure bringing the plant back to safe state as the SIS was designed to do.  However it may have been a close call for it may not have been the intention of the attackers to just shut down the plant.  There may have been plans to do something worse in the future.  Worse for a petrochemical plant means damage, killing people, and leaving the surrounding environment in a toxic state which will extend the time of recovery and clean-up[3].

The article contained one unsettling revelation which should raise ICS practitioner’s concerns.  Especially the OT professionals who place faith in the security of segmented (non-internet connected) OT networks and are *still* using unsupported legacy windows and proprietary OS control device boxes.  The same ones who also consider patching OT to be an “unacceptable industrial risk”.  The fact that the petrochemical facility may have been first compromised as far back as 2014 before discovery due to an unplanned shutdown in 2017 should be cause for a sleepless night or two for the thoughtful ICS security practitioner[4].

The adversary is perhaps sleeping more soundly by substituting patience and skill for worry.  This is characteristic of the Advanced Persistent Threat (APT).  The team of cyber James Bond’s who have the “license to kill”, state backed resources, intelligence gathering assets and a “Q” to solve any encountered technical barriers.  The APT that penetrated and compromised the Saudi plant in 2014 took the time to expand their presence, acquire administrator rights and knowledge of targeted systems to develop avenue of attack. One that thankfully was accidently blocked by some coding mistake before something worse could happen.

The article has one other conclusion to share.  Unlike the Stuxnet operation the Triton group showed little evidence of seeking precision in choice of target or in minimizing collateral damage. In targeting SIS they showed a disregard for causing damage and even causing loss of life[5].   If this is the case then the stakes have been significantly raised.

Some lessons learned that become clear (or perhaps are further reinforced) from these findings is that the OT practitioner needs to have some capability to monitor the health of their devices and “see” what is really going on in their control networks.  Someone or some new unit needs to be on watch looking for process anomalies and other signs of something wrong. Some call this a Security Operations Center (SOC).  It would be one way to insure some capability to protect the legacy Windows OS and unpatched control system devices.  The bottom line is that without some countervailing policy to make up for carrying the risk of continuing to operate unpatched systems, in the current cyber threat environment, any breach could lead to “game over”.  In other words if the software is the same as it was when first taken out of the box, all exploits that have been developed in the intervening years of operation could theoretically work. Just need to get access to the system and that capability has been demonstrated to exist by Triton (Stuxnet, BlackEnergy, Regin, German Steel Mill attack, Ukraine TSO, etc and etc.). It is hard to gauge how serious the threat is considering all the industrial operations out there. However, after seeing a 3rd site with the same legacy OS and non-patching policy in the past few months, this particular threat can no longer be denied out of hand.

[1] Giles, M.,  “Triton is the world’s most murderous malware, and it’s spreading”,  MIT Technology Review  March 5, 2019,

[2] Hand, A., “Triton Gone Wild”, Automation world, January 26, 2018,

[3] If you want to read what a successful sabotage of oil and gas refinery could look like, the book to read is by former CIA Middle East analyst Robert Baer. “Sleeping with the devil”, Three Rivers Press, N.Y. 2003 pp. xix-xxiii.

[4] Giles, M.,  “Triton is the world’s most murderous malware, and it’s spreading”,  MIT Technology Review  March 5, 2019,

[5] Ibid

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.

Related posts