Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.

Use some old school technology

Why not employ a PROM (programmable read only memory as much as you can. These guys ignore other instructions and follow the routine that was put into them.

in other news

[zlives]

kids eat all the candy left in front of them...

moral... don't be an idiot

Don’t worry

[GrahamJ]

The US government did the same type of thing with STUXNET so obviously it’s totally ok.

Re:Don’t worry

[nnull]

It's not like you have to do much. Most of these manufacturers don't care about security, because it's additional costs. You'd be surprised how many machines out there are just openly connected to the internet, because ooo wow, we made a phone app so you can see how your production is going, but you have to open port xxx on your firewall. When I tell these guys no, they all go into a fury and try to talk down to me like a child (At least most American machine manufacturers do).

When I ask for encryption and security precautions from manufacturers, they just look at me funny and think I'm crazy. If you think I'm joking, just scan through a bunch of IP's and enjoy how many high tech equipment is just out there in the open where you can just completely obliterate someones manufacturing process. It's not like it hasn't happened before, you know. Knowledge of SCADA systems? What the hell for? Most of these idiots run some unsecured remote access, so you can easily press buttons like you're there. My favorite latest thing these guys do now is install TeamViewer on these machines (Free version of course, surprised TeamViewer hasn't gone after these people for using it for commercial use, big name manufacturers too that I can easily name), with some social engineering, you can easily get the Teamviewer ID and password. Nobody ever changes it, like, ever. These are "Professionals" doing this on a daily basis by the way.

What I quite hate is how after these places get hacked, they claim the hacker is some sort of genius, that meticulously planned this attack, when all he did was login to the PLC or some Windows based Operator console and messed with the whole thing.

Re:Don’t worry

[thegarbz]

This is actually quite interesting. It looks like the remote access was to the engineering workstation which by its very nature needs to be networked with the control system. This doesn't sound like some vendor's bullshit idea but rather that the plant engineers had no idea what they were doing. Also since this is an SIS system, there's no reason for it to require a remote access and any of your talk on fancy apps and what not doesn't really apply.

There are far more interesting things under here as well, either:
a) write access was enabled via the keyswitch on the Tricon chassis which is a really stupid thing to do permanently, or
b) far worse: the keyswitch doesn't prevent writing to the program space and is just a trigger for the software not to proceed. This would be a huge failing, one that would likely get TÜV to strip their certification against the IEC standard for this.

Watching keenly. We've got these systems everywhere.

Re:Don’t worry

[thegarbz]

I do worry. Stuxnet targeted a PLC / control system in an attempt to push product off spec.

This was an attack on a Safety Instrumented System which implies that it was an attempt to really blow something up.

I also worry further because while the Siemens S7 / Stuxnet was an inside job delivered via USB key, this here talks about remote access to an engineering station which implies a whole new level of incompetence on a far more important system.

Re:Don’t worry

[thomst]

Mod parent +1 Informative, please ...

Re:Don’t worry

[thomst]

Mod parent +1 Informative, please. This is exactly the kind of post /. needs more of ...

Re:Don’t worry

[thegarbz]

Replying to self with more information.

Triconex systems have a physical keyswitch on chassis 1 which is by default setup to allow 4 states: Run, Remote, Program, and Stop. Remote in this case allows writing modbus values to the system over the network and prevents all memory access. Program allows writing over the running program memory.

Based on the analysis by Dragos https://dragos.com/blog/trisis... it would appear the customer was running with the switch permanently in program mode and the attacker got in via RDP to the engineering workstation.

This is multi-level stupid by the customer bypassing a whole host of protections, bridging networks, and allowing a foreign and remote connection to the engineering station. This kind of thing is heavily warned against by Schneider's own manuals and implementation guides. Someone better have been fired over this.

Re:Don’t worry

[nnull]

I agree, this is an SIS system, there is no reason to require remote access to any of these devices or my fancy talk of apps, but YET THEY DO! Just look at Phoenix Contact, they offer bluetooth, NFS, and online connectivity, for what? ABB with their speed drives offer complete connectivity with the drive and changing parameters for their safety cards and they advertise it openly with remote access! Then you have all these brand new safety devices that have ethernet/IP or Profinet, with complete full access to the device. I think even ABB's programmable safety devices now have an app? This is happening right now with little care for what might happen, all because of convenience and sales, because X has this and Y doesn't.

Are these things convenient? Yeah, ethernet is quite convenient when designing a panel, but this is where Engineering practices come into play with some thought put into network security. I do love ethernet, because no longer do I have to pull 50 wires through out a control panel. But there is definitely a lot of people not considering any security issues over this.

I doubt they will lose any certifications over this. There is nothing in either the IEC standard, UL or NFPA standards against this. All there is, is some blurb about "Risk Assessment" when using or designing these safety devices. I definitely know UL won't do anything, knowing how they work and TUV Germany (Not TUV US) might do something, maybe. Their self certification CE mark in the EU is not threatened as they more than likely complied with all the standards available. All you might find in these standards is that you must prevent changes on these devices. It doesn't say how you need to do that and anyone doing it maliciously doesn't mean you haven't complied with the said standard. I know there is some sway with risk assessment requirements in the EU, but not so much in the US.

But, if they actually cared, we wouldn't be flooded with Chinese made devices with certifications. Even CHNT has certifications up the wazoo, contactors, breakers, relays that cost less than $10 (When they normally cost over $100) with all the certifications you could imagine, all of them legitimate. They meet the bare minimum and that's all they care about.

Re:Don’t worry

[thegarbz]

Then you have all these brand new safety devices that have ethernet/IP or Profinet, with complete full access to the device.

Wow there tiger. All systems need some kind of ethernet / IP link for communication, even if it's just for the initial config. "Remote" is hardly considered "across the internet" In most cases where the vendors advertise "remote" they basically mean no longer dragging a laptop to the device to plug into the serial port on the front.

Remote configuration is a must, just that "remote" in this case is from 2 rooms away via a closed network.

I doubt they will lose any certifications over this. There is nothing in either the IEC standard, UL or NFPA standards against this.

Read my second reply to myself. In this case it turns out the attack was purely on the engineering station which was multi-homed to a network for remote desktop purposes, and the system was left permanently in program mode (which is idiotic). You're right in any case, I got my IEC standards confused, 61508 applies to vendors, 61511 applying to process industry end users is the one which has requirements for control of authority for changes to systems. All 61508 does is require access control to be considered during the risk assessment phase.

relays that cost less than $10 (When they normally cost over $100) with all the certifications you could imagine, all of them legitimate.

My personal favourite is seeing a TUV certificate for a well known US based vendor's valve actuator listing a reliability of 2 FITS. That's only about 3 orders of magnitude better than generally expected experience in the industry. I agree a TUV certificate these days isn't worth the paper its printed on ... right until you get caught without one :-) The certification industry is a bit of a farce.

Re:Don’t worry

[nnull]

Wow there tiger. All systems need some kind of ethernet / IP link for communication, even if it's just for the initial config. "Remote" is hardly considered "across the internet" In most cases where the vendors advertise "remote" they basically mean no longer dragging a laptop to the device to plug into the serial port on the front.

Remote configuration is a must, just that "remote" in this case is from 2 rooms away via a closed network.

This is generally true and I understand the intentions of what the devices makers are trying to accomplish and I do use it with my own secured network (Yes I love it). And yes, there are manufacturers that are advertising "Remote access" via the Internet. I've already attended seminars by great big Siemens where their whole excitement is, you guessed it, remote access to your machine or internal devices from your phone! Oh how wonderful!

But all over the world, this gets way abused to hell. Remote access now means some guy wants to login to my machine from across the world and diddle with it without even knowing what's going on. Too many equipment manufacturers I've seen abusing this. I'm already seeing remote reprogramming of Safety PLC's on gas fired equipment (Excellent solution to the whole liability problem if the equipment blows up, you can deny everything). I've even had a Siemens rep request I install remote controlled circuit breakers, just in case he needs to turn my machine on and off (This was my last time I ever wanted to deal with anything Siemens after that conversation).

Yes, it's the owners problem, but truthfully, this is just getting out of hand here. Stuff that shouldn't be happening, is happening. Good engineering practices isn't happening, general good safety practices isn't happening and network security is just one big joke. Oh, you have a firewall? No problem, let me install TeamViewer here on your Beckhoff PLC (Or whatever Windows embedded based PLC). So I can just punch through your firewall settings, tee hee hee

Read my second reply to myself. In this case it turns out the attack was purely on the engineering station which was multi-homed to a network for remote desktop purposes, and the system was left permanently in program mode (which is idiotic). You're right in any case, I got my IEC standards confused, 61508 applies to vendors, 61511 applying to process industry end users is the one which has requirements for control of authority for changes to systems. All 61508 does is require access control to be considered during the risk assessment phase.

So I was correct in my assessment that this was being remotely operated via the Internet. Really no surprise. No doubt that it was the field tech. No, this is not the device manufacturers fault, this is quite indeed the customers fault for being complete idiots. But device manufacturers could definitely do a lot more here.

My personal favourite is seeing a TUV certificate for a well known US based vendor's valve actuator listing a reliability of 2 FITS. That's only about 3 orders of magnitude better than generally expected experience in the industry. I agree a TUV certificate these days isn't worth the paper its printed on ... right until you get caught without one :-) The certification industry is a bit of a farce.

It's going to get worse.

Re:Don’t worry

[thegarbz]

That is true and I see this as vendors try to push equipment as a service rather a thing. That is mostly driven by customers who lack the expertise and yet want more reliability out of equipment. Easy for a large refinery or chemical plant as they will have dedicated reliability teams monitoring rotating equipment with state of the art instrumentation. However some small remote gas compression station, or in other struggling industries the vendors have come up with some cloud based service with remote experts to manage your equipment.

Siemens isn't the only culprit (though actually I haven't directly experienced it from them), I had a meeting with Emerson one day, 2h meeting to show of their new products and services. The first slide talked about connecting all their transmitters to some cloud service using HART-IP. I asked them to skip every slide that mentioned cloud service or any data leaving the confines of our process network. Good news is I reclaimed 1.5h of my day. Bad news is, WTF were they thinking.

Re:The emperor has no clothes

[FatdogHaiku]

I think you're thinking about Bruce Schneier ...
It's OK, I thought they were talking about Rob Schneider... and I really don't want to see him designing safety systems for critical infrastructure!

How long will we trust BGP?

[guruevi]

It seems like everyone just trusts each other at that level. Also, does it matter? Everything should be encrypted anyway, redirecting traffic should be expected if not by States, somewhere else on the line.

Re:Why the hell ...

[Computershack]

Why the hell do people have their critical infrastructure on networks which aren't isolated and locked down?

Lets blame the victim for not locking the door, not the burglar eh? The better question is how sick in the head do you have to be to even think about attacking something like this?

Re:Why the hell ...

[thegarbz]

Given the level of sophistication that came out of Stuxnet showed that it was state sponsored, I'd say about as sick in the head as any modern government or military.

Now I'm going to hide before a USA drone drops a missile in my livingroom without due process. Wouldn't be the first time.