By Gregory Hale
An attack that shut down a gas facility in Saudi Arabia last August was entirely preventable if proper security hygiene was in play.
In that August attack, the Saudi critical infrastructure user suffered a shutdown of its facility and the controllers of a targeted Triconex safety system failed safe. During an initial investigation security professionals noticed there were some suspicious things going on and that is when they found malware. The safety instrumented system (SIS) engineering workstation was compromised and had the Triton (also called Trisis and HatMan) malware deployed on it. The distributed control system (DCS) was also compromised. It is possible to envision an attack where the attacker had the ability to manipulate the DCS while reprogramming the SIS controllers.
“Could the attack have been stopped? The answer is yes,” said Gary Williams, senior director of technology, cybersecurity and communications at Schneider Electric during his talk last week at PAS 2018 Optics conference in Houston, TX. “Segmentation could help. Every time you bypass one, you increase risk.”
“The attacker wasn’t at the company, not even in the country, Williams said. “The attack was highly sophisticated, focused on that one company and was not self-replicated. The Triton attack we believe was to create a catastrophic event. The attacker was able to get into the DMZ, then the process area and then into the safety system.”
This attack took up toward two years, Williams said.
The attack occurred August 4, 2017 where there was an unexplained emergency shutdown at the end user site.
A detailed investigation revealed multiple security lapses that enabled a sophisticated random access Trojan (RAT) malware attack across the DCS, the SIS and workstations. At that time, the safety system, after the attacker made some mistakes, detected an anomaly and safely shut the system down. No one is really sure right now if the shut down was the result of a direct attack or the attacker still conducting surveillance and getting sloppy and making a mistake. Either way, the system safely shut down the facility.
No matter the intent, this was a highly-targeted attack, Williams said.
He added the malware could only be successfully loaded if several conditions were present, including:
• The site must be using specific model of controller running specific version of firmware
• The safety network must be accessible either locally or remotely
• Attackers must have access to the SIS terminal or other machines connected to safety network
Ramifications of Triton extend far beyond the specific attack. Plus, some questions still remain.
While Williams did not discuss this during his talk, questions remain open about the attack like what was the true intended target? What were the motivations? The attackers did get into the safety system, but they also got into the DCS and what were they going after there?
To help avoid attacks, Williams said users should follow some basic security principles to ensure a solid security profile:
• There needs to be a risk-based defense in depth
• Need to follow standards and practices
• Follow vendor guidelines and practices
• Make cybersecurity part of the whole lifecycle
• Identify, minimize and secure all network connections to automation systems
• Improve product security across supply chain and development process
• Collaborate to improve standards, applications, and ease of implementation
• Educate all personnel involved in the operation, maintenance, engineering and support of automation systems
• Engage industry resources to step up and develop a pervasive cyber culture and constantly innovate
• Implement those cybersecurity practices, policies and procedures
• This is all about collaboration
Along those lines when you are talking about security, it is all about people, process and technology.
“Investing in people is the best return you will ever get,” Williams said. “Our industry is under assault. We have a duty to respond to Triton which requires everyone to work together. We are trying to protect the people at the plant, the plant and the area around the plant. “
That is why Schneider Electric is calling for an industry-wide agnostic supplier/end user/integrator-based forum, or consortium, to come together, not to create a standard, which would take way too much time, but to understand the intensity of the threat and then help create a culture where everyone knows security is a part of his or her everyday job.