A Triconex Safety Instrumented System (SIS) from Schneider Electric was the target of a recent cyber attack. The aim of this attack was to cause disruption to the physical infrastructure by interacting with the SIS. The malware was only detected because the cybercriminals inadvertently triggered a safety mechanism. FireEye, a specialist for data driven security with its headquarters in the United States, suspects that the attackers were state sponsored.
Functional safety as a must-have
According to a FireEye statement, the cybercriminals gained remote access to a SIS engineering workstation and reprogrammed the SIS controllers. During the incident, they tripped the failsafe mechanism of the critical infrastructure, which automatically shut down the industrial processes or caused them to enter a safe state. An investigation of the complete plant was initiated as a result.
Side note
Critical infrastructures (CI) are organizational and physical structures and facilities of such vital importance to a nation’s society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences. (Source: BSI)
Cyber attack: The analysis
Application code failed a validation check, resulting in a failure message. The conclusion drawn from this by FireEye was that the cybercriminals were intending to manipulate the SIS. Their objective was apparently to cause impacts to industrial plants, the environment or production processes. They used the Triton malware for this purpose. Triton (Trojan.Trisis) was specifically designed to communicate with SIS devices using the proprietary TriStation protocol. The malware mainly infects Windows computers that are connected to a SIS device. It then injects code modifying the behavior of that SIS device.
Although FireEye has not connected this activity to any particular source, they are confident that the actors are sponsored by a nation state. The technical resources necessary to create the attack framework and the lack of any clear monetary goal suggest this. Furthermore, the interest in causing physical consequences is an attack objective not typically seen among cybercrime groups.
The investigation into the cyber incident is still ongoing.
FireEye declined to identify the victim, industry or location of the attack. Schneider confirmed to Reuters that the incident had occurred but without revealing the client’s identity.
“Dragonfly 2.0” campaign
According to Symantec, industrial plants in Europe and the U.S. have increasingly been targeted again by the “Dragonfly 2.0” campaign since late 2015. In Germany, the group has allegedly succeeded in controlling, manipulating and sabotaging parts of the machinery of dozens of firms via their industrial control systems.
Preventive measures – Plant security
Don’t let it come to that! We – Yokogawa – have developed a comprehensive network and system security concept for industrial process control systems and (functional plant) safety systems. The solutions integrated in this concept fill known and frequently encountered, internal and external security holes. They can be used in both new and existing systems. Feel free to contact us: we’ll help you implement suitable preventive measures as part of a total security tailor-made concept.
Would you like to read more blog posts on automation security? Click here to browse. Do you have any questions, observations, criticisms or suggestions? If so, just write a comment.