What TRITON teaches us about ICS cyber attacks and the OT payload

Reflecting on December 2017’s cyber attack, we look into the mind of the hackers targeting industrial control systems.
Published: Mon 27 Aug 2018

When a Middle Eastern oil and gas petrochemical facility underwent a safety system shutdown as the result of a malware attack in December 2017, critical infrastructures received yet another reminder of cyber malevolence.

The malware, known most commonly as TRITON (as well as TRISIS and HatMan), directly interacted with a safety instrumented system (SIS) - a critical component designed to prevent potentially catastrophic incidents.

To investigate the event further, cybersecurity experts at Nozomi Networks compiled a comprehensive research paper titled ‘TRITON: The First Industrial Control System (ICS) Cyber Attack on Safety Instrument Systems’, endeavouring to understand the malware and its creation.

This, in turn, created the foundations for them to provide insight to industrial operators seeking to defend their control systems from such attacks in the future.

Becoming the TRITON hacker

The target of the attack was the Triconex controller from Schneider Electric. This device was left undocumented and vulnerable for attack, as many assets may be in low-visibility environments, and older assets that predate the heightened security focus may also be at risk of cyber attack.

To begin their investigation, the researchers obtained the TRITON engineering toolset, followed by sourcing a Triconex controller - all of which was achieved easily enough through the internet and some intelligent investigation.

Once they collected and connected the key components, the researchers reverse engineered the TriStation suite of software used for the engineering workstation that communicates with the SIS controller, allowing them to dissect the communication protocol used by the controller.

Nozomi expresses in its white paper the simplicity of the process, suggesting that the effort, skills and financial resources necessary are far below the level where nation state-sponsored resources are required.

Cyber attack in action - targeting operational technology (OT)

Once the pieces were in play, the attackers moved to reprogramme the SIS controllers and send them into a failed state, resulting in an automatic shutdown of the industrial processes, at which point an investigation uncovered the hacking attempt.

By first penetrating the IT network using fairly standardised methods, the attackers can move into the OT network through easy access points accessible from both environments.

Once in the OT network, a hacker is able to infect systems such as the engineering workstation for the SIS system, from where it can trick an engineer into receiving or downloading a dropper file, often named after a legitimate file.

These dropper files deliver a malicious payload to the target, for instance, the SIS controller in this case, which is inevitably connected to its target where it can inject the payload.

Changes to cybersecurity and the effects on utilities

So, what does this mean for critical infrastructures such as utilities with ICSs?

With the increase of technology, tools and examples to follow, the standard of necessary cyber attack skill is lowering. Nozomi cites the 2010 Stuxnet attack as a benchmark for some of this change - where beforehand, there were no examples of ICS malware frameworks available over the internet. Now, TRITON is but one of many.

Other changes which Nozomi notes have impacted the cyber attack space include:

  • Global ecommerce platforms where hackers can easily purchase the documentation and equipment needed to recreate a SIS environment.
  • A rapid increase in the number of disclosed ICS vulnerabilities.
  • Search engines, such as Shodan, which make it easy to find internet-connected ICS devices.
  • Increased connectivity with IT and internet-based systems, increasing the attack surface.

This in mind, Nozomi strongly recommends all utilities assess their cyber environments critically, monitoring SIS and taking the appropriate measures to secure their IT-OT space.

This attack may have failed, but as technologies improve, so too will the hackers using them.