Safety Concerns Emerge From Triton Malware Targeting Industrial Control Systems

A new type of malware called Triton has shut down the operations of a critical infrastructure organization, according to security firm FireEye, throwing industrial control system security into the spotlight.

"Attacks targeting industrial control systems aren't just costly, they're dangerous … if you take a step back and think about what could happen in an industrial facility, a valve could turn the wrong way, a reactor could blow up. There are human safety concerns involved," said Jim Gillespie, CEO of Pittsburgh, Pa.-based GrayMatter.

"This is the kind of attack that [solution providers] have been saying will come … I'm hoping this causes companies to increase the priorities for securing their industrial control systems. With an attack like this, companies are facing implications around human safety, money and business interruption," he said.

[Related: Security Firms: CrashOverride Malware Marks Newest Security Threat For Industrial Control Systems]

Sponsored post

FireEye on Thursday said its subsidiary, Mandiant, has responded to an unidentified critical infrastructure company where a hacker had used the malware and shut down operations. The malware, Triton, targets explicitly a Schneider Electric product called Triconex, which is a safety instrumented system for industrial plants.

The attacker gained remote access to a safety instrumented system engineering workstation and deployed the Triton attack framework to reprogram the system's controllers.

While FireEye did not identify the industrial firm that was targeted, it said it had "moderate confidence" that a nation-state sponsored the actor.

"During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation," according to FireEye. "The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check – resulting in an MP diagnostic failure message."

Triton is a rare publicly identified malicious software that targets industrial control systems. Other software families targeting industrial control systems include Stuxnet, which was used against Iran in 2010; and Industroyer, which was used against Ukraine in 2016.

"Security is critically important," said Karim Bibawi, the Industrial IoT Lead at PwC. "Clients in the industrial Internet of Things space are becoming more concerned with operational technology security – they want to know how to secure automation systems and the devices collecting data at the edge."

Despite increasing interest around security solutions for operational technology and control systems, partners stressed that customers in the industrial space remain unprepared for security attacks on connected devices.

"Customers think that they're covered and they're not… Or in some cases they think there's an air gap between the outside world and their industrial control system," said Gillespie. "We've found there's a lot of attack vectors that are open."

"We've been expecting the manufacturers and water folks to get on board with this in the past two or three years …. We're surprised it's not taking off faster," he said. "2018 could be the year where security becomes a top focus for control systems."