At Dexcent, the safety and security of our client’s plants is a high priority. For that reason, we want to ensure that our clients and followers are informed of any current or possible industrial cyber security threat.

Last month, it was reported that a new malware specifically targeting industrial organizations was present. The malware, named Triton by its identifier cybersecurity company FireEye, specifically targeted Triconex industrial safety technology from Schneider Electric. According to FireEye, the attack caused “operational disruption to critical infrastructure,” though sources have not identified the plant or its location.

What was Triton trying to do?

According to Reuters, the hackers used the malware to take remote control of a workstation running a Triconex safety shutdown system and then sought to reprogram the SIS controllers.. In this particular case, some of those controllers entered a safe shutdown mode, which caused related plant process to shut down and allowed the plant to identify the attack, FireEye said.

But why would the hackers want to reprogram these controllers?

If the hackers control the safety system, they can then shut down the controllers that normally monitor safety issues, called Safety Instrumental Systems (SIS), before carrying out an attack on other, more vital, parts of an industrial plant. They would “trick” the SIS into indicating that everything is okay when an attack is actually underway. This could prevent operators from being able to identify that a destructive attack is happening. 

What is the continued threat? 

It is important to note that FireEye believes the attack was not orchestrated by any single person or “small” hacker group. They stated in their warning that “The targeting of critical infrastructure as well as the attacker’s persistence, lack of a clear monetary goal, and the technical resources necessary to create the attack framework suggest a well-resourced nation-state actor.”

For these reasons and the fact that this is the third malware in the last ten years to target the industrial industry specifically, many cybersecurity experts and analysts are concerned.

“This is a watershed,” said Sergio Caltagirone, head of threat intelligence with Dagos about the attack, “Others will eventually catch up and try to copy this kind of attack.”

So while the continued threat from the Triton malware itself is unknown, the threat to industrial organizations from the ever growing and advancing malware attacks is large. In fact, it is clear that the world’s cybersecurity experts believe attacks on industrial systems and operations are going to become more serious and more frequent in the future. 

What to do about it?

The best way for an industrial organization to protect themselves and their assets against cybersecurity threats and attacks is to have to best and most advanced security program they can get. At Dexcent, we believe in our cybersecurity partner Verve Industrial Protection and trust their unique, integrated, approach to ICS cybersecurity. 

If your industry has a cybersecurity standard, it is also important to ensure plant operations and equipment are managed in a way that meets all compliance requirements. Dexcent can perform a cybersecurity compliance assessment. This assessment provides you with a comprehensive evaluation of your facility’s interconnected OT environment. We work with you to understand your current cyber security posture, and we will provide recommendations, in alignment with industry standards, to mitigate any gaps in your OT systems and networks from Level 3.5 DMZ to your Level 1 field devices.

If you are interested in learning more about Dexcent, please visit our website.