MALWARE TO DESTROY OPERATIONS

(August 2017, Saudi Arabia, an undisclosed oil and gas facility)

Operational teams were busy working during regular business hours when alerts of many industrial control system shutdowns were received. These shutdowns were not planned or expected by plant workers and engineers, which caused some head scratching and troubleshooting in response to determine the unexplained cause. As troubleshooting continued, what started as a few shutdowns turned into a full stop in facility operations, causing financial losses to the organization. Eventually, the response effort found a number of files and processes unknown to the organization, and unknown to the vendor – Schneider Electric.

Analyzing the files, cybersecurity analysts came to the grim conclusion that the files were, in fact, malware which had the capability to manipulate the Safety Instrumented System’s (SIS) function and ability to keep operations at a stable state; the malware was intended to cause physical damage and harm.

The malware has since been identified. Dubbed “Trisis”, it specifically targeted Schneider Electric’s Triconex SIS. Luckily, in this case, there was a programming error which prevented any physical damage and harm.

Trisis is not the first of its kind. Other cases of malware targeting critical infrastructure include:

• Crashoverride successfully halted electric power plants in the Ukraine in 2016

• Stuxnet compromised nuclear operations in Iran in 2010

• In 1982, it was reported a Trojan virus infected a Siberian gas pipeline causing an explosion

What’s new is that Trisis is the first of its kind to specifically target SIS’s.

Failure of an SIS is one of many outcomes that attackers hope for when targeting critical infrastructure. Others being minor manipulations of system reporting information to degrade (but not destroy) operations or gain information for future compromise when critical infrastructure is absolutely required (e.g. war times).

This points to the growing capabilities of attackers. Ignore this at your own peril.

A short list of high-level risk mitigation techniques may have helped in deterring attackers from targeting the plant, or even prevented the attack completely:

• Preventing and alerting of any internet originating access to networks that can modify operations, and/or increasing the sophistication levels of operational network modification through USB and engineering workstations

• File and system integrity monitoring to prevent and alert on any changes to system files and/or execute only trusted programs from approved sources

• Creating baselines of configurations and alerting on changes

A list of overall actions your organization can take to be better equipped in preventing and responding to cyber incidents:

• Develop a threat-centric cybersecurity capability: Understand current potential threats (e.g. nation attack groups or activist groups, etc.) and potential consequences based on your operations.

• Understand your network: Identify each system in your operational and information technology environments, document operational and information flows and availability requirements, and identify unresolved risks per system and network.

• Build an incident response team: Utilize a combination of internal security, operations, engineers, plant managers, networking personnel, in addition to vendor support of your systems, and third-party incident response and forensic help.

• Develop an incident response plan: Coordinate the different support teams to bring about a full organizational response.

• Test response capabilities: Conduct realistic exercises to better prepare personnel when responding to real incidents.


Sam Smagala is a cybersecurity consultant at MNP LLP specializing in cyber incident response and performs both preparatory and responsive activities for organizations who have information technology and operational technology environments. Sam works on a team with Eugene Ng who presented on Cyber Security at the CGA 811 Excavation Safety Conference & Expo in Tampa in 2019.

Live help
Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn

Leave a Comment

Your email address will not be published. Required fields are marked *