The Triconex ICS cyber attack in the Middle East was the first attack that explicitly targeted a facilities Safety Instrumented System (SIS) or Emergency Shutdown Device (ESD).
TRITON and Safety Instrumented Systems
The attempted cyber attack used TRITON malware to exploit the Triconex Safety Instrumented System controls with the goal to disrupt operations for a critical infrastructure facility. Triconex, acquired by Schneider Electric in 2014, was created to protect OT assets in critical hazard industries such as oil & gas, energy and power.
Safety Instrumented Systems are used to monitor operating processes in critical environments, such as chemical plants or refinery facilities. The control systems create alerts if unsafe conditions are reached, triggering Emergency Shutdown Devices to immediately react before the issue escalates.
The Triconex threat highlighted how operational disruptions in critical infrastructure could result in widespread catastrophe from a plant shutdown if emergency protection is compromised due to SIS failure.
In this specific cyber incident, attackers should never have been able to get to the SIS with such ease. Indicators of system compromise and alarms were blatantly ignored. The TriStation application software and related systems were inadequately secured.
It was only a matter of time before more research was made public, vulnerabilities were discovered, or even used by a determined adversary.
Protecting industrial safety systems from cyber attacks
Despite secure deployment guidelines, asset owners do not regularly deploy adequate measures or even third-party solutions to add compensating controls (likely due to compatibility).
This series of vulnerabilities for the Schneider Electric Triconex TriStation and Tricon Communication Module (TCM) in ICS Advisory (ICSA-20-205-01) points to some important facts:
- These systems, despite their importance, are not intrinsically secure and have flaws that are the result of poor testing, code quality, and engineering
- Legacy insecure by design features or legacy patterns are still present, and likely to be present for the foreseeable future
- Asset owners are unlikely to adequately secure these systems unless CVEs are disclosed (don’t know, don’t care mentality)
- Oddly enough, it is limited to only the following OS: Windows NT, Windows XP, or Windows 7 (odd it stops there, maybe the vendor does not support them officially, but will be present anyways)
Protecting an industrial organization’s safety systems should be an outmost priority in Operational Technology (OT) Health, Safety and Environment (HSE). But to reiterate, regardless of purpose, there is a common thread here:
- ALL embedded systems are very likely to have vulnerabilities within them
- Their security is absolutely dependent on their deployment configuration and it’s adjacent environment
- They require integrated vulnerability and risk management, but also compensating controls from deployment to retirement (grave/destruction)
How an attacker could infiltrate Safety Instrumentation Systems:
- Obtain sensitive information such as a password even with various functionality enabled
- Perform a denial of service attack if the user is not following documented guidelines regarding TriStation 1131 connections and key-switch protection. Likely open connection pool exhaustion.
- Leverage a hidden support account that was left over for a legacy support function to gain access
- Deny access to the TCM, which would cause various versions to reset when hit hard enough. Likely a watchdog is tripped, interrupts are intensively issued, and the device will restart when under high network load
- Use a legacy debugging port that is visible on the network enabling inappropriate access
CISA and Schneider Electric advise the following actions to protect against SIS cyber attacks:
- Upgrade and patch the affected products and software using software obtained from Schneider’s official repository
- Isolate the devices, and secure them behind firewalls
- Ensure devices are not left in “program mode” and protect them physically (e.g., a locked cabinet)
- Ensure transient removable devices are scanned or denied into the environment
- Minimize Internet access (actually 100% air-gap as per their secure deployment guidelines)
- Minimize remote access, and use secure methods of access with multiple controls (if necessary)
- Utilize security functions
- Isolate safety systems such that they are within their own high-security zone, and limit access to other zones
- Monitor and configure TriStations to have an alarm when the SIS in program mode
- Prevent transient devices such as laptops not for the purpose of managing the safety zone make their way into SIS network. If so, they should be properly sanitized at a minimum
Verve’s additional steps to protect against malware like TRITON:
- Detailed asset inventory management program that knows the location of devices and ensures the software on the device, or for the controlling application, is automatically refreshed by regular, programmatic monitoring
- Compensating controls such as enforcing policies to block unauthorized applications or USB/removable media should be used (e.g., application whitelisting)
- Put an adequate policy in place to limit user access on a system or for connectivity over the network
- Monitor systems by securely fetching application logs and performing analysis on them with the right tools (e.g., detecting programming mode)
- Ensure network isolation, monitoring access, and investigating variations or irregular behaviors (e.g., do what ISA says!)
- Do not allow direct access to these systems and have multiple hurdles such as Jump boxes to provide additional technological diversity and raise chances of discovery before the SIS can be tampered with or probed
- Ensure all product security capabilities are used appropriately and tested for function (aka: Trust but validate)
- Ensure appropriate cyber policy to manage an incident from investigation to recovery (including disaster recovery planning) for anything that affects these systems