Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment (securityweek.com)

Posted by BeauHD on from the state-sponsored dept.

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.

30 comments

  1. Why the hell ... by Anonymous Coward · · Score: 0

    Why the hell do people have their critical infrastructure on networks which aren't isolated and locked down?

    If you're vulnerable to this kind of attack without, maybe you're too damned stupid to run critical infrastructure?

    1. Re:Why the hell ... by Anonymous Coward · · Score: 0

      Posting anon because I RTFA. So ashamed.

      the victim was an industrial asset owner in the Middle East.

      Windows was the vector.

    2. Re:Why the hell ... by Anonymous Coward · · Score: 0

      The report is a little light on the details about the method used to insert the malware. The fact is a lot of people responsible for securing critical infrastructure are doing a good job. But no matter how diligent and proactive they are it doesn't stop people from trying to compromise their systems. Perimeter security has been hardened to the point where other methods are required to inject malware into a system. And the other methods all revolve around the humans who build, manage, support, and use the targeted systems. E-mail phishing is still the number one vector for malware infections today. And one area where companies could do more to protect their systems is whitelist the sites the employees can access from inside the companies network. This can be difficult depending on the job and exceptions can be made. Whitelisting enhances security and stops the employees from endlessly surfing the web during buisness hours.

      And it is possible to attack critical systems with no network connections to the outside world. Iran's nuclear centrifuge laboratory was totally isolated from any outside network while also being located in one of the most heavily guarded sites in the country and that didn't stop Stuxnext. The point being nothing is truly secure if someone has enough resources and wants it badly enough.

      The fact is going after infrastructure such as power transmission lines or oil and gas pipelines doesn't require developing intricate malware. It is easier and more effective by planting enough C-4 at the critical junction points and detonate. Physically securing 1000's of miles of oil and gas pipelines and power transmission lines is not possible. State sponsored cyber attacks are considered an act of war and falls into the MAD doctrine. Any harm inflicted on US infrastructure will result in the US returning the favor. US infrastructure may have some weak points but Russia and China have considerably more weak points. Back in the 80's the US let Russia steal some advanced PLC components and processors with CIA embedded malware. 4 months later one of Russia's Siberian pipeline control stations suffered a catastrophic failure followed up with an impressive explosion that put the pipeline out of order for 6 months.

    3. Re:Why the hell ... by Computershack · · Score: 1

      Why the hell do people have their critical infrastructure on networks which aren't isolated and locked down?

      Lets blame the victim for not locking the door, not the burglar eh? The better question is how sick in the head do you have to be to even think about attacking something like this?

      --
      I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
    4. Re:Why the hell ... by thegarbz · · Score: 1

      Given the level of sophistication that came out of Stuxnet showed that it was state sponsored, I'd say about as sick in the head as any modern government or military.

      Now I'm going to hide before a USA drone drops a missile in my livingroom without due process. Wouldn't be the first time.

  2. Use some old school technology by Anonymous Coward · · Score: 1

    Why not employ a PROM (programmable read only memory as much as you can. These guys ignore other instructions and follow the routine that was put into them.

    1. Re:Use some old school technology by Anonymous Coward · · Score: 0

      Why not employ a PROM (programmable read only memory as much as you can. These guys ignore other instructions and follow the routine that was put into them.

      actually, safety controllers work with a configuration certification and is supposed to be la locked down config, but in the real world, most dcs engineers tweak the config and limits as there's the need to keep the process running and a bad sensor may shutdown the plant

  3. in other news by zlives · · Score: 1

    kids eat all the candy left in front of them...

    moral... don't be an idiot

    1. Re: in other news by Anonymous Coward · · Score: 0

      I'm 33. Give me my candy back, jerk.

  4. The emperor has no clothes by Anonymous Coward · · Score: 0

    Being such an authority on security, I would have expected more from Bruce Schneider

    1. Re:The emperor has no clothes by FatdogHaiku · · Score: 1

      I think you're thinking about Bruce Schneier ...
      It's OK, I thought they were talking about Rob Schneider... and I really don't want to see him designing safety systems for critical infrastructure!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  5. Fits the typical NSA/CIA signature by Anonymous Coward · · Score: 0

    this is what they did to Iran when they sabotaged their nuclear power plants, and generally the kind of sabotage they focus on - shutting down power plants and other critical infrastructure remotely.

    I hope Germany doesn't throw their own Schneider under the bus here, but do everything they can to stop America from doing this, diplomatic efforts included.

    1. Re: Fits the typical NSA/CIA signature by Anonymous Coward · · Score: 0

      Schneider is French you insensitive clod

  6. deserves the death penalty by Anonymous Coward · · Score: 0

    If this hacker ever gets caught, they need the death penalty, to highlight the seriousness of their actions!

  7. Don’t worry by GrahamJ · · Score: 1

    The US government did the same type of thing with STUXNET so obviously it’s totally ok.

    1. Re:Don’t worry by Anonymous Coward · · Score: 0

      If you are going to mention the USG/Stuxnet incident you may as well mention their partner in crime Israel as well.

    2. Re:Don’t worry by nnull · · Score: 3, Informative

      It's not like you have to do much. Most of these manufacturers don't care about security, because it's additional costs. You'd be surprised how many machines out there are just openly connected to the internet, because ooo wow, we made a phone app so you can see how your production is going, but you have to open port xxx on your firewall. When I tell these guys no, they all go into a fury and try to talk down to me like a child (At least most American machine manufacturers do).

      When I ask for encryption and security precautions from manufacturers, they just look at me funny and think I'm crazy. If you think I'm joking, just scan through a bunch of IP's and enjoy how many high tech equipment is just out there in the open where you can just completely obliterate someones manufacturing process. It's not like it hasn't happened before, you know. Knowledge of SCADA systems? What the hell for? Most of these idiots run some unsecured remote access, so you can easily press buttons like you're there. My favorite latest thing these guys do now is install TeamViewer on these machines (Free version of course, surprised TeamViewer hasn't gone after these people for using it for commercial use, big name manufacturers too that I can easily name), with some social engineering, you can easily get the Teamviewer ID and password. Nobody ever changes it, like, ever. These are "Professionals" doing this on a daily basis by the way.

      What I quite hate is how after these places get hacked, they claim the hacker is some sort of genius, that meticulously planned this attack, when all he did was login to the PLC or some Windows based Operator console and messed with the whole thing.

    3. Re:Don’t worry by thegarbz · · Score: 3, Informative

      This is actually quite interesting. It looks like the remote access was to the engineering workstation which by its very nature needs to be networked with the control system. This doesn't sound like some vendor's bullshit idea but rather that the plant engineers had no idea what they were doing. Also since this is an SIS system, there's no reason for it to require a remote access and any of your talk on fancy apps and what not doesn't really apply.

      There are far more interesting things under here as well, either:
      a) write access was enabled via the keyswitch on the Tricon chassis which is a really stupid thing to do permanently, or
      b) far worse: the keyswitch doesn't prevent writing to the program space and is just a trigger for the software not to proceed. This would be a huge failing, one that would likely get TÜV to strip their certification against the IEC standard for this.

      Watching keenly. We've got these systems everywhere.

    4. Re:Don’t worry by thegarbz · · Score: 1

      I do worry. Stuxnet targeted a PLC / control system in an attempt to push product off spec.

      This was an attack on a Safety Instrumented System which implies that it was an attempt to really blow something up.

      I also worry further because while the Siemens S7 / Stuxnet was an inside job delivered via USB key, this here talks about remote access to an engineering station which implies a whole new level of incompetence on a far more important system.

    5. Re:Don’t worry by thomst · · Score: 1

      Mod parent +1 Informative, please ...

      --
      Check out my novel.
    6. Re:Don’t worry by thomst · · Score: 1

      Mod parent +1 Informative, please. This is exactly the kind of post /. needs more of ...

      --
      Check out my novel.
    7. Re:Don’t worry by thegarbz · · Score: 2

      Replying to self with more information.

      Triconex systems have a physical keyswitch on chassis 1 which is by default setup to allow 4 states: Run, Remote, Program, and Stop. Remote in this case allows writing modbus values to the system over the network and prevents all memory access. Program allows writing over the running program memory.

      Based on the analysis by Dragos https://dragos.com/blog/trisis... it would appear the customer was running with the switch permanently in program mode and the attacker got in via RDP to the engineering workstation.

      This is multi-level stupid by the customer bypassing a whole host of protections, bridging networks, and allowing a foreign and remote connection to the engineering station. This kind of thing is heavily warned against by Schneider's own manuals and implementation guides. Someone better have been fired over this.

    8. Re:Don’t worry by Anonymous Coward · · Score: 0

      I know I'll be modded to (-1) but I wish you IT people would stop using the word "incompetent".

      Remote access is important, and we need smart IT people to set it up properly, not just put up a firewall, not just block access. Part of troubleshooting is to remote in and "animate" the diagram, to watch certain values. Yes these safety systems have passwords, but we all know passwords are weak but that's all you IT people give us. I know you're used to the car analogy where a car needs to run at all costs, but this is a different application of technology and plants also do need an OMFG STOP!!!! button. "HAL STOP!" 'I can't do that, Dave. What's the other super secret password that only the supervisors know?' (and he's on vacation). BOOM.

      Complicated devices fail in complicated ways. Onsite personnel's troubleshooting abilities are often just "pick up the phone and call". If an engineer has to physically transport his body onsite, that can take days in some cases (abandon current site-repack-plane ticket-drive-fly-drive onsite).

      I am often at war with IT people, because I get the silent treatment, and management says "just show up". Okay, but it'll cost you... Cut to the chase, and drive 2 hours to the airport, spend ten hours flying, I show up and I diagnose and fix the problem in 15 minutes. Management is like "I'm not going to pay, it only took you 15 minutes to fix it!." Well if your IT people wouldn't have gotten stuck asking where to enter their Proxy Server information that doesn't even apply to this device, I IN FACT COULD HAVE DIAGNOSED IT REMOTELY. "SOMEBODY" OVER THERE UNPLUGGED THE CABLE AND PLUGGED IT IN WRONG (no visible evidence). But how would *I* know that given what you gave me to work with and the people you have hired?

    9. Re:Don’t worry by nnull · · Score: 1

      I agree, this is an SIS system, there is no reason to require remote access to any of these devices or my fancy talk of apps, but YET THEY DO! Just look at Phoenix Contact, they offer bluetooth, NFS, and online connectivity, for what? ABB with their speed drives offer complete connectivity with the drive and changing parameters for their safety cards and they advertise it openly with remote access! Then you have all these brand new safety devices that have ethernet/IP or Profinet, with complete full access to the device. I think even ABB's programmable safety devices now have an app? This is happening right now with little care for what might happen, all because of convenience and sales, because X has this and Y doesn't.

      Are these things convenient? Yeah, ethernet is quite convenient when designing a panel, but this is where Engineering practices come into play with some thought put into network security. I do love ethernet, because no longer do I have to pull 50 wires through out a control panel. But there is definitely a lot of people not considering any security issues over this.

      I doubt they will lose any certifications over this. There is nothing in either the IEC standard, UL or NFPA standards against this. All there is, is some blurb about "Risk Assessment" when using or designing these safety devices. I definitely know UL won't do anything, knowing how they work and TUV Germany (Not TUV US) might do something, maybe. Their self certification CE mark in the EU is not threatened as they more than likely complied with all the standards available. All you might find in these standards is that you must prevent changes on these devices. It doesn't say how you need to do that and anyone doing it maliciously doesn't mean you haven't complied with the said standard. I know there is some sway with risk assessment requirements in the EU, but not so much in the US.

      But, if they actually cared, we wouldn't be flooded with Chinese made devices with certifications. Even CHNT has certifications up the wazoo, contactors, breakers, relays that cost less than $10 (When they normally cost over $100) with all the certifications you could imagine, all of them legitimate. They meet the bare minimum and that's all they care about.

    10. Re:Don’t worry by thegarbz · · Score: 1

      Then you have all these brand new safety devices that have ethernet/IP or Profinet, with complete full access to the device.

      Wow there tiger. All systems need some kind of ethernet / IP link for communication, even if it's just for the initial config. "Remote" is hardly considered "across the internet" In most cases where the vendors advertise "remote" they basically mean no longer dragging a laptop to the device to plug into the serial port on the front.

      Remote configuration is a must, just that "remote" in this case is from 2 rooms away via a closed network.

      I doubt they will lose any certifications over this. There is nothing in either the IEC standard, UL or NFPA standards against this.

      Read my second reply to myself. In this case it turns out the attack was purely on the engineering station which was multi-homed to a network for remote desktop purposes, and the system was left permanently in program mode (which is idiotic). You're right in any case, I got my IEC standards confused, 61508 applies to vendors, 61511 applying to process industry end users is the one which has requirements for control of authority for changes to systems. All 61508 does is require access control to be considered during the risk assessment phase.

      relays that cost less than $10 (When they normally cost over $100) with all the certifications you could imagine, all of them legitimate.

      My personal favourite is seeing a TUV certificate for a well known US based vendor's valve actuator listing a reliability of 2 FITS. That's only about 3 orders of magnitude better than generally expected experience in the industry. I agree a TUV certificate these days isn't worth the paper its printed on ... right until you get caught without one :-) The certification industry is a bit of a farce.

    11. Re:Don’t worry by nnull · · Score: 1

      Wow there tiger. All systems need some kind of ethernet / IP link for communication, even if it's just for the initial config. "Remote" is hardly considered "across the internet" In most cases where the vendors advertise "remote" they basically mean no longer dragging a laptop to the device to plug into the serial port on the front.

      Remote configuration is a must, just that "remote" in this case is from 2 rooms away via a closed network.

      This is generally true and I understand the intentions of what the devices makers are trying to accomplish and I do use it with my own secured network (Yes I love it). And yes, there are manufacturers that are advertising "Remote access" via the Internet. I've already attended seminars by great big Siemens where their whole excitement is, you guessed it, remote access to your machine or internal devices from your phone! Oh how wonderful!

      But all over the world, this gets way abused to hell. Remote access now means some guy wants to login to my machine from across the world and diddle with it without even knowing what's going on. Too many equipment manufacturers I've seen abusing this. I'm already seeing remote reprogramming of Safety PLC's on gas fired equipment (Excellent solution to the whole liability problem if the equipment blows up, you can deny everything). I've even had a Siemens rep request I install remote controlled circuit breakers, just in case he needs to turn my machine on and off (This was my last time I ever wanted to deal with anything Siemens after that conversation).

      Yes, it's the owners problem, but truthfully, this is just getting out of hand here. Stuff that shouldn't be happening, is happening. Good engineering practices isn't happening, general good safety practices isn't happening and network security is just one big joke. Oh, you have a firewall? No problem, let me install TeamViewer here on your Beckhoff PLC (Or whatever Windows embedded based PLC). So I can just punch through your firewall settings, tee hee hee

      Read my second reply to myself. In this case it turns out the attack was purely on the engineering station which was multi-homed to a network for remote desktop purposes, and the system was left permanently in program mode (which is idiotic). You're right in any case, I got my IEC standards confused, 61508 applies to vendors, 61511 applying to process industry end users is the one which has requirements for control of authority for changes to systems. All 61508 does is require access control to be considered during the risk assessment phase.

      So I was correct in my assessment that this was being remotely operated via the Internet. Really no surprise. No doubt that it was the field tech. No, this is not the device manufacturers fault, this is quite indeed the customers fault for being complete idiots. But device manufacturers could definitely do a lot more here.

      My personal favourite is seeing a TUV certificate for a well known US based vendor's valve actuator listing a reliability of 2 FITS. That's only about 3 orders of magnitude better than generally expected experience in the industry. I agree a TUV certificate these days isn't worth the paper its printed on ... right until you get caught without one :-) The certification industry is a bit of a farce.

      It's going to get worse.

    12. Re:Don’t worry by thegarbz · · Score: 1

      That is true and I see this as vendors try to push equipment as a service rather a thing. That is mostly driven by customers who lack the expertise and yet want more reliability out of equipment. Easy for a large refinery or chemical plant as they will have dedicated reliability teams monitoring rotating equipment with state of the art instrumentation. However some small remote gas compression station, or in other struggling industries the vendors have come up with some cloud based service with remote experts to manage your equipment.

      Siemens isn't the only culprit (though actually I haven't directly experienced it from them), I had a meeting with Emerson one day, 2h meeting to show of their new products and services. The first slide talked about connecting all their transmitters to some cloud service using HART-IP. I asked them to skip every slide that mentioned cloud service or any data leaving the confines of our process network. Good news is I reclaimed 1.5h of my day. Bad news is, WTF were they thinking.

  8. How long will we trust BGP? by guruevi · · Score: 1

    It seems like everyone just trusts each other at that level. Also, does it matter? Everything should be encrypted anyway, redirecting traffic should be expected if not by States, somewhere else on the line.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  9. Just by Anonymous Coward · · Score: 0

    Just fuck Islam already. Haven't they caused enough harm? Isn't it time to eradicate these vermin?