Since Stuxnet first targeted and destroyed uranium enrichment centrifuges in Iran last decade, the cybersecurity world has waited for the next step in that digital arms race: Another piece of malicious software designed specifically to enable the damage or destruction of industrial equipment. That rare type of malware has now reappeared in the the Middle East. And this time, it seems to have the express intention of disabling the industrial safety systems that protect human life.
Security firm FireEye today has revealed the existence of Triton, also known as Trisis, a family of malware built to compromise industrial control systems. Although it’s not clear in what kind of industrial facility—or even what country—the sophisticated malware appeared, it targets equipment that’s sold by Schneider Electric, often used in oil and gas facilities, though also sometimes in nuclear energy facilities or manufacturing plants. Specifically, the Triton malware is designed to tamper with or even disable Schneider’s Triconex products, which are known as “safety-instrumented systems,” as well as “distributed control systems,” made by a separate company, used by human operators to monitor industrial processes.
SIS components are built to run independently from other equipment in a facility and monitor potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents or sabotage. By obtaining a foothold in the DCS, hackers could use Triton create a situation that might cause physical harm, or an explosion or a leak. And because Triton’s code also contains the express ability to disable Triconex safety measures, the failsafes that exist to shut down equipment in those situations would be unable to respond. That makes for a dangerous new escalation of hacker tactics that target critical infrastructure.
“[FireEye subsidiary] Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems,” FireEye’s report on its new malware finding reads. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations.”
For the full article, please click here