There was a stunning cyberattack on a critical Middle Eastern infrastructure site recently and it hasn’t gotten the public scrutiny it deserves. Triton (A.K.A. Trisis), a new strain of malware, was discovered last month via intelligence sharing reports provided by the security vendors FireEye and Dragos. The news was the latest in a series of public disclosures about progressively more sophisticated energy plant hacks.
The specter of attacks on the power grid and other systems is no longer a matter of speculation. Hackers are testing the protections for critical infrastructure, and energy plant operators need to take the threat seriously, as do the decision makers in the industrial sector at large.
Security analysts uncovered malware designed to take over the Schneider Electric Triconex Safety Instrumented System (SIS) at an unnamed industrial site. SIS systems are routinely used in plant settings to monitor industrial processes, and shut them down if operating parameters approach a dangerous state.
Notably, it now appears that the Triton hackers inadvertently shut off the plant’s SIS system in what may have been a botched reconnaissance operation, says Phil Neray, strategy vice president at Boston-based cybersecurity vendor CyberX.
“They had hacked into the controller of the safety system, which is there to shut everything down if something goes wrong,” Neray observes. “They evidently made a mistake and triggered the safety system to shut down the plant.”
Experts say it’s likely that the hackers initially used social engineering, perhaps a phishing ruse that prompted a plant employee to unwittingly share logon credentials to the SIS. The hackers would then have been able to embed the Triton malware in the SIS, and gain access to the system.
“Reconnaissance, pivoting, and dwelling at length within networks are common strategies for advanced hackers,” says Satya Gupta, chief technology officer at Virsec Systems, a supplier of application security systems. “Their goal certainly would have been bigger than to trip a relatively benign shutdown.”
This is a type of activity one would expect from rival nations preparing offensive and defensive strategies for cyberwar campaigns. As the attack vector becomes more defined, it gives rise to a question: How long have hackers been targeting infrastructure, and which past attacks were part of that campaign? That is unknowable, but the Triton revelation could change the way researchers view the Shamoon virus outbreaks that crippled office computers at Saudi energy companies in December 2012, and again in January 2017.
While stealth and misdirection are ruling principles in cyberwarfare–making attribution difficult if not impossible, it seems worth noting the Triton disclosure closed out a year in which hacking groups believed to be aligned with Russia, Iran and North Korea have been caught probing and accessing the back-office business networks of U.S. energy companies.
This flurry of activity prompted the FBI and the Department of Homeland Security to issue an amber alert warning about a wave of malware attacks targeting office workers at U.S. energy plants. Why go after office workers? Humans are always the weakest link in any security system. Industrial control systems are disconnected, or “air-gapped,” from administrative systems, and thus considered intrinsically safe–but the people who operate them are not.
Malicious hackers are very good at what they do. Increased use of cloud computing and connected mobile devices (with questionable security) has made air-gapped security obsolete, and given rise to an incipient security nightmare. The alarming accomplishment of the Triton caper was the demonstration of how a phishing attack on the IT side of the house can be leveraged to hack into the OT, or operational technology, side of the house.
“Many legacy industrial control systems were designed with ‘security by isolation,'” Gupta says. “However, with increasingly connected systems, isolation is hard to find, and it is not adequate as a security strategy.”
While there may be no reason to panic yet, this progression of energy plant probes and intrusions ought to increase the urgency for the industrial sector to begin taking proactive steps to bake security into their IT and OT systems. It’s time to address the air-gap gap.
Adam Levin is chairman and founder of CyberScout. This article originally appeared on AdamLevin.com, a top 100 infosec blog.