By Gregory Hale
The Triton attack against a safety system and a distributed control system at a gas refinery in Saudi Arabia last August was a planned targeted attack against a specific system, but in analyzing the attack, aspects of the attack could be easier to create.
“You don’t need to have tons of resources to create an attack like this,” said Andrea Carcanco, chief product officer and co-founder of Nozomi Networks during a packed talk entitled, “TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems Forever,” at Black Hat USA 2018 in Las Vegas, NV, Wednesday. “Barriers for advanced ICS hacking have been lowered. Dedicated tools and information on the wire make the life of a hacker much easier. While attacks are more sophisticated, skill levels are not as high.”
“The effort, skills and financial resources needed to create the Triton malware framework are not that high,” Carcanco said “Considering this, asset owners should act immediately to monitor their SIS and secure them against external attacks.”
In August last year, the Saudi critical infrastructure user suffered a shutdown of its facility and the controllers of a targeted Triconex safety system failed safe. During an initial investigation security professionals noticed there were some suspicious things going on and that is when they found malware. The safety instrumented system (SIS) engineering workstation was compromised and had the Triton (also called Trisis and HatMan) malware deployed on it. The distributed control system (DCS) was also compromised. It is possible to envision an attack where the attacker had the ability to manipulate the DCS while reprogramming the SIS controllers.
In a traditionally IT-centric event like Black Hat some explanation needed to occur to describe industrial control systems and safety instrumented systems.
In defining industrial control systems and safety instrumented systems for the audience, Marina Krotofil, an industrial cybersecurity researcher, talked about the danger in working with these systems.
“Cyber physical systems are inherently hazardous, they are protecting humans, machinery and the environment,” she said. “Safety systems are software-based which means they are potentially hackable.”
Safety systems come with multiple connection possibilities. They can:
• Sometimes connect to process control systems
• Sometimes they can be separate
• Using multi-vendor increases risk
“An attack on a safety system can cause the most damage possible,” Krotofil said.
The attacker obtained remote access to SIS, injected a remote backdoor where it could read arbitrary memory, write into memory and then execute arbitrary code into the TriStation, she said.
Carcanco went on to discuss how it is possible to build an attack like Triton:
• Gather intelligence, where you can collect as much information as possible and gain a documented view of the target
• Build a shopping list by documentation, engineering tool-set, firmware and controller
• Reverse engineer engineering software by collecting information
• Reverse engineer Tristation protocol by being able to talk to and understand the protocol of the target system
In reverse engineering the software, the Nozomi team found two undocumented power users with hard coded credentials. One of the power user’s login enabled a hidden menu, which from an attacker’s perspective, could be useful. However, there was no connection between the Triton malware and this hidden menu, and the malware did not leverage these undocumented users. Second, Carcanco said these undocumented users exist for TriStation 1131 v4.9.0 and earlier versions only, according to Schneider Electric.
As a result of their research (for which there are more details into Nozomi’s investigation in this white paper), the network monitoring provider released a Triton toolset:
1. Active detection tool that checks for Triton programs running inside the controller and upload a program table for suspicious payload
2. Honeypot with a replication of the Triconex system configuration, a detection of unknown traffic targeting SIS network
Reverse engineering the attack is important, there is no doubt, but what we did we learn and what are the next steps?
“There needs to be auditing and forensic tools,” Krotofil said. “Asset owners should start a dialog with vendors. They should start sharing concerns with vendors right now.”
Protecting safety systems in the ICS environment is a top concern, that should not be done in with a cavalier attitude.
“If you access the safety system, you are done,” Carcanco said.