By Gregory Hale
It is so easy to point fingers. “You did it, no, you did it.” “Someone else did it, not me.”
Looking at the attack on Schneider Electric’s Triconex safety system that occurred last August but was just revealed in December, it would be very easy to point a finger at the end user, or at the supplier, or the integrator. In reality, though, the finger needs to point directly at the manufacturing automation industry. The entire industry.
In that August attack, a Middle East critical infrastructure user suffered a shutdown of its facility and the controllers of a targeted Triconex safety system failed safe. During an initial investigation security professionals noticed there were some suspicious things going on and that is when they found the malware. The safety instrumented system (SIS) engineering workstation was compromised and had the Triton (also called Trisis and HatMan) malware deployed on it. The distributed control system (DCS) was also compromised. It is possible to envision an attack where the bad guy had the ability to manipulate the DCS while reprogramming the SIS controllers.
You can’t walk away from this. Forget that a safety system was attacked. This was a potential cyberattack that meant harm. In this day of heightened awareness of cybersecurity issues, it really looks like the industry was asleep at the wheel on this.
It appears, through reading reports and talking to informed sources, this was a very preventable attack. With malware sitting on the system for a long period of time, users, suppliers, integrators, executives, engineers, operators, in short, everyone, needed to know security, like safety, is everybody’ business.
Security Leads to Safety
Applying a contemporary case in point toward a security and safety incident, the law requires an auto manufacturer to build a car with safety belts, but to get the most benefit the driver and passengers have to use them. By wearing that safety belt, you are protecting yourself and are about 90 percent protected. In most cases, that is more than enough to get you through the day.
But what happens in a terrorist environment? How safe is that car if a terrorist pulls up next to you? In that case, software and technology may not be the answer. People must remain aware of the environment and act accordingly. Are you aware of your surroundings? Do you understand the context of the area you are traveling through?
The industry needs to understand and come to grips with that type of context because the open architecture, fully connected world we work in, can be a very lucrative, fast-paced environment, but also a very dangerous place.
This assault on a safety system, had all the markings of a perfect storm, with a physical attack, on top of a cyber incident.
This was not a fly by night operation, this was a targeted attack going for a specific Triconex system and version, which means the attackers had knowledge of the industrial control environment. Just look at the capability of the attacks that have taken place over the past few years. This isn’t about competition, it is about protecting users from cyber assaults. Let’s face it, no one person, company or organization, can tackle this issue alone.
The industry needs an agnostic supplier/end user/integrator-based forum, or consortium, to come together, not to create a standard, which would take way too much time, but to understand the intensity of the threat and then help create a culture where everyone knows security is a part of his or her everyday job.
Positive from Negative
Covering the safety and security industry specifically for almost eight years has shown people will end up activated and motivated when a negative act occurs. The refrain repeatedly heard was the industry will become more security conscious if something bad happens. They would say safety didn’t really come into full play until the December, 1984, Bhopal, India, incident that left 3,787 dead and well over 500,000 injured.
Then, and only then, safety was front and center for the industry and it became a strong focus for all manufacturers.
This cyber attack on the Middle East user, while thwarted by the safety system, was not an exercise. Ill intent was intended. The safety system and the distributed control system suffered compromise. Both systems; both compromised.
It would be easy to say the safety system did its job, no big deal, let’s move on with producing product. The problem is, this attack was a big deal.
This was an unprecedented incident. Normally, when an attack happens, there is a vast silence. The discussion needs to change to saying something happened, let’s scream from the mountain top and let everyone know. These geo-political attacks using ICS infrastructure will continue. In this case, much like Stuxnet was not a Siemens issue, this was not a Schneider Electric problem, it was (and is) an industry problem.
We need a holistic look at security to protect all vendors of systems at a facility and we need an open conversation, not giving away proprietary details, but understanding the importance and ensuring a safe and secure manufacturing experience.
Let’s get started.
Gregory Hale is the Editor/Founder of Industrial Safety and Security Source (ISSSource.com).