New threats are emerging in production. When industrial plants enter the firing line of international conflicts, human lives no longer matter.
When experienced security advisors were called to a petrochemical plant in Saudi Arabia, they couldn’t believe their eyes. Malware had brought the plant to a standstill. It turned out to be fortunate, because the malware introduced by unknown attackers was programmed to shut down the chemical plant’s safety systems. The purpose of these safety devices is to prevent production outages from resulting in catastrophes such as explosions or the leakage of poisonous substances. If they’re shut down, they can no longer guarantee protection, putting people and the environment in danger.
The attack on the Saudi factory failed. A flaw in the coding triggered a response by the safety system that shut down the plant. An additional, similar incident convinced the operating company to call in security specialists, who found the malicious code that has since been dubbed Triton or Trisis. It was specially developed to target the Triconex safety controllers made by the French company Schneider Electric.
The goal: destruction
The malware that was discovered may have been just the first phase of an advanced persistent threat (APT). It’s extremely likely that the attackers would then have gone on to damage the production plant in order to cause dangerous accidents. The dimension of the attack is unusual: While industry comprehensively networks its plants, the attackers were trying to cause maximum damage. They weren’t operating out of financial interests, nor were they using this attack to obtain money or sensitive data. That’s why it’s assumed that the attacks were perpetrated by government-backed actors and not cyber criminals, especially since such an attack requires extensive on-site knowledge of the production facilities, their components, and the hardware and software used for the control system.
This incident, which occurred in the summer of 2017 but wasn’t made public until much later, evokes memories of Stuxnet. The security experts are still working on analysing the Triton malware. So far they’ve managed to determine that it was intended to reprogram the safety controllers via a maintenance access. But the code failed the validation check and the safety controller safely shut down the plant. It was only then that the attack was recognised for what it was and the incident could be thoroughly investigated. It’s still unclear how the malware infiltrated the safety controller. So far the experts are assuming it was the result of a successful phishing attack. They also speculate that it may have been a test run for further attacks.
Be careful when networking critical production facilities
When networking critical production facilities – and especially when such facilities have the potential to cause extreme harm – security specialists now advise a certain amount of restraint. OT and IT should be linked only where necessary. Data traffic should then be monitored to ensure that only predetermined data is transferred via the connections. In addition to a firewall and network monitoring, whitelisting of approved data transfers can be helpful in this regard.
The existing emergency management system in such plants should also include provisions covering damaging incidents caused by malware. In the event of an emergency, network segments have to be disconnected quickly and reliably. Experts advise that the emergency stop button typical of such plants also be configured for OT networks. In the future, they’re also expecting that chemical plants in Germany will be counted as critical infrastructure (KRITIS). This will mean that security incidents will have to be reported.
You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.