When Julian Gutmanis — a cyber first responder — discovered TRISIS malware at a petrochemical plant in Saudi Arabia, his blood ran cold, according to MIT Technology Review. TRISIS malware was first detected in 2017 and was implemented by a nation-state actor to target Triconex safety instrumented system (SIS) controllers created by Schneider Electric. The code had the capability to disable all safety systems put in place to prevent plant shutdowns.
This dangerous attack had the ability to interfere with the automated processes SIS controllers deployed to keep a plant safe and remedy safety concerns when abnormal conditions arise. While it was initially found only in the Middle East, it began spreading to multiple parts of the world, causing safety malfunctions in various plants. According to Dragos, “[the] potential impacts include equipment damage, system downtime and potentially loss of life.” As the fifth ICS-tailored malware in history and first malware to directly target SIS, TRISIS concerned the industrial community because of the boldness of the attack.
Concerns for SIS
If TRISIS malware was successfully implemented, a threat actor could use the SIS controller to shut down an entire plant. Targeting safety systems is cause for concern due to the risk of operational safety in a plant environment. According to Dragos, “safety controllers are deployed to provide lifesaving stopping logic. These may include mechanisms to stop rotating machinery when a dangerous condition is detected or stop inflow or heating of gasses when a dangerous temperature, pressure or other potentially life-threatening condition exists.”
Given that TRISIS malware can be accessed and implemented remotely, the attack seemed especially dangerous. It raised concerns about whether TRISIS could infiltrate other systems once it effectively corrupted an SIS. If that occurs, “an adversary can lay the groundwork for a disaster by modifying industrial processes to exceed safe operating limits, potentially causing physical destruction, injuries and death, and pollution. In the facility where the malware was first identified, Triton could have interfered with the functioning of a burner management system, potentially triggering the release of hydrogen sulfide gas,” according to IoT World Today.
The potential for disaster troubled leaders in the industrial community, leading to an increased focus on industrial control system (ICS) security.
A mysterious attack
In June of 2017, the Saudi Arabian plant’s vendor, Schneider Electric, initially misidentified TRISIS. This led to the wrong response efforts and a failure to properly contain the attack. The plant was taken offline because of the first attack — the plant’s first shut down. It wasn’t until the second shutdown, when several other systems were affected, that the threat was truly identified.
In August of 2017, the presence of hackers was detected in the plant network, months after the initial shutdown. It was found the hackers had been inside the petrochemical plant’s system since 2014, weaving their way into the network. Investigators also first believed that only one system was targeted and infiltrated by TRISIS, but later discovered the malware was able to attack six Triconex Emergency Shutdown (ESD) systems. The problem was first thought to be a mechanical issue, but many factors that occurred in the system failure should have sparked a more detailed investigation and suggested a more widespread attack.
While the facility was described as “lucky” by Gutmanis, the failure to prevent this attack shed light on poorly designed security systems, infrastructures and outdated responses to threats. Investigators worried hackers would take advantage of this and continue their attacks on other plants.
A wake-up call
U.S. Director of National Intelligence Dan Coats claimed that “the warning lights [were] blinking red again,” according to MIT Technology Review. The TRISIS malware attack gained the attention of many cybersecurity professionals and left them worrying about the strength of their cybersecurity measures — as well as copycat attacks. According to IoT World Today, “the attack provide[d] not just a blueprint for attacks on the oil-and-gas sector, which was purportedly targeted in the first announced TRISIS attack, but any type of critical infrastructure including building automation systems.”
As a result, industrial cybersecurity leaders began laying out higher expectations for security, like the implementation of holistic cybersecurity measures and physical safety protections, a focus on layered protections and non-cybersecurity engineering controls, and the creation of an incident response plan put in place by operational technology (OT) engineers. Proper configuration of an SIS controller is essential, but misconfigurations can happen.
In response to the Saudi attack, cybersecurity professionals introduced unidirectional gateways to replace bidirectional network connections. Unidirectional gateways isolate safety equipment and allow monitoring of industrial networks without risk of an industrial attack. Given the mysterious nature of TRISIS, a properly protected critical infrastructure is key to preventing future attacks. While the industrial cybersecurity community is still looking for all the right answers, it is never too late to update and reinforce preventive security measures.