Industrial plant shut down by "Triton" (or "Trisis") malware attack.
Thursday FireEye reported a significant attack on an unnamed industrial plant. They call the malware "Triton," and say it was designed to interact with Schneider Triconex Safety Instrumented System (SIS) controllers, widely used in the energy sector. The attackers introduced it via remote access and attempted to use it to reprogram the SIS controllers. In the process they tripped, apparently inadvertently, some of the systems into fail-safe shutdown.
Given the absence of any evident financial motive, FireEye thinks the attack was probably a nation state's work, but declined to speculate about which nation state it might have been. The attackers succeeded in establishing themselves in the plant's Distributed Control System (DCS), whence they were able to access the SIS. FireEye assesses the incident as reconnaissance and preparation: the attackers seem to have been interested in gaining the ability to accomplish one of three results at some future point: "Attack Option 1: Use the SIS to shutdown the process," which could cause process downtime and require complex restarts at considerable expense to the plant operator. "Attack Option 2: Reprogram the SIS to allow an unsafe state," which would increase the risk of physical damage or injury. "Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard;" that is, directly cause serious injury or damage (FIreEye).
Industrial security experts at Dragos, which called the attack a "watershed" event (Reuters), released their analysis of the malware on Thursday as well. They're calling it "Trisis," and they properly note that, while it's a nasty, bold piece of work, "defense is doable." They also remind people that safety systems, if well-designed, degrade gracefully even if their security is compromised: "As long as the SIS performs its safety function the compromising of its security does not represent danger as long as it fails safe" (Dragos).
CyberX says the affected plant is in Saudi Arabia, and that Iran is, on form if not on direct evidence, the likely suspect. CyberX's Phil Neray told us:
"We have information that points to Saudi Arabia as the likely target of this attack, which would indicate Iran as the likely attacker. It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we're talking about critical infrastructure—but it's also a logical next step for the adversary. Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and TRITON appears to be simply an evolution of those approaches."