Industrial Control System (ICS) are everywhere, they are especially present in critical infrastructures and industrial sectors. They help monitoring complex industrial processes. Nuclear facilities, Power plants and Manufacturing are examples of industries in which ICS are heavily used. Medical equipment, smart car or smart houses are other examples where ICS are used by everyone in everyday life.
Since 2005, attacks targeting Industrial Control System (ICS) are become more and more frequent. The impact of these attacks can often be serious damages in terms of production, operations, financial losses and more importantly human lives which are put at risk. Every year, there are more and more attacks targeting ICS systems. There are several attack vectors such as absence of strong network segmentation and unsecured remote access to ICS components.
In 2017, a Saudi Arabian petrochemical plant was targeted by the malware called Triton (also known under names such as Trisis or HatMan). The attackers took control of a subcategory of ICS: Safety Instrumented System (SIS) controller by Triconex which detects abnormal conditions and returns the system into a safe state. The Triconex SIS distributed by the Schneider Electric is used in thousands of industrial plants in nuclear, oil and chemical industries.
SIS controllers are automated monitoring solutions aimed at maintaining the plant in a safe state condition or bring it back into a safe state when some of the parameters (for example temperature or pression) are becoming abnormal. SIS is the last line of defense to protect human lives and industrial plants against physical damage.
The Triton attack framework developed by hackers was made to reprogram the SIS controller and modify its behavior.
Probably using a phishing attack, the attacker gained remote access to one of the computers on the process control network which had access to the SIS controller. Nowadays it is trendy to have the process control systems and the SIS controllers on the same network. Moreover, the attack surface increases if the network can be accessed remotely.
The hacker succeeded to access the SIS and implanted an executable, the first step of the malware consisted in downloading another piece of malicious code. Using a zero-day attack, the attacker managed to elevate its privileges to the one of supervisor (read/write/execute privileges) in order to inject the payload in the memory of the Triconex. The payload contained an implementation of the TriStation protocol, reverse-engineered by the hackers, that can be used to communicate with the targeted device.
We assume that the attacker made a mistake and accidentally caused the plant shut down. The plant owner did an investigation and discovered the Triton Malware. According to the Schneider report, the attack’s intended goal was not to shut down the plant but to cause more physical damage.The hackers have not been identified but they are probably sponsored by a nation state as they have targeted a critical infrastructure and because of the absence of ransom request.
Network segmentation is one of mitigations in this case.We use Triton as an example of attack targeting ICS but there are many others (for example Stuxnet in 2010 against Iran) that can cause a significant damage.
Thanks to ARCA Trusted OS system hardening, it is possible to implement a firmware signature process for embedded devices as well as critical industrial systems. Therefore, it would be impossible for an attacker to replace the binary or executable utility by a “rogue” one. In the above scenario, the attack would not be able to continue and lead to a damaging impact.
CYSEC LAB is a security evaluation lab performing research of front-edge technologies. The team, made of embedded engineers, security researchers and cryptographers, has the complementary skills that allows CYSEC to engineer and develop home made test benches with high performance.
For more information, please visit: www.cysec.com/lab/