Nozomi Networks: Triton attack against petrochemical plant could have succeeded

During a live recreation of the industry’s first experience of a direct attack on an industrial safety system, Carcano showed the Triton malware creation may have been much easier to achieve than originally thought and shared new tools to help in the fight against Triton. Carcano urged the community to unite on more aggressive efforts to address security gaps in critical operational networks.

“Triton failed. However, now, with a deeper understanding of the attack, we believe the effort, skills and financial resources needed to create the Triton malware were not as high as originally thought. We also know the attacker could have just as easily succeeded in injecting the final payload,” Carcano said. “This realisation, combined with the knowledge that a growing number of hackers have critical infrastructure in their sights, [means] we as a community must move quickly on all fronts to strengthen the cyber security culture for the entire industry.”

In a live demo at Black Hat, Carcano and researchers from Nozomi Networks Inc, showed how Triton, the most recent and arguably one of the most sophisticated attacks seen against an industrial control system (ICS) to date, was developed, why the attack failed and what anyone seeking to secure critical infrastructure can do to help keep it safe. The team’s findings are detailed in a whitepaper, which includes:

• How the attack was executed, and why developing the Triton malware may have been easier than previously believed.
• Information about new paths adversaries are taking to access the attack tools.
• New guidelines and tools to help protect against TRITON and similar attacks.

First reported in December 2017, the Triton attack against a petrochemical processing plant in the Middle East had the potential to compromise the facility’s Triconex Safety Instrumented System (SIS) from Schneider Electric. Fortunately, the Tricon system detected an anomaly and behaved as it was supposed to by taking the plant to a safe state via a shutdown. Triton is considered a milestone industrial cyber-attack because it was the first to directly interact with, and control a safety system, raising the risk that a cyber-attack could lead to unpredictable and dangerous plant outcomes, without the protection of a last line of safety defence.

“It’s important to recognise that Triton-type attacks can be made against any industrial control and safety system anywhere in the world, no matter who designed, engineered, built or operates it,” said Nathalie Marcotte, Senior Vice President, Industry Services and Cybersecurity, Schneider Electric. “No single entity can solve this global issue; rather, end users, third-party suppliers, integrators, standards bodies, industry groups and government agencies must work together to help the global manufacturing industry withstand cyberattacks and protect the world’s most critical operations and the people and communities we all serve. Through its research, knowledge sharing and malware-detection tools, Nozomi Networks is heeding this call to action.”

Read the article online at: https://www.hydrocarbonengineering.com/petrochemicals/09082018/nozomi-networks-triton-attack-against-petrochemical-plant-could-have-succeeded/