Nozomi Networks’ Co-founder and Chief Product Officer Andrea Carcanco has warned about the dangers of future TRITON-like attacks. At the recent Black Hat USA conference, Carcanco presented a live recreation of the industry’s first direct attack on an industrial safety system, showing that the TRITON malware creation may have been much easier to achieve than originally thought and sharing new tools to help in the fight against TRITON. Carcano urged the community to unite on more aggressive efforts to address security gaps in critical operational networks.
“TRITON failed. However, now, with a deeper understanding of the attack, we believe the effort, skills and financial resources needed to create the Triton malware were not as high as originally thought. We also know the attacker could have just as easily succeeded in injecting the final payload,” Carcano said. “This realization, combined with the knowledge that a growing number of hackers have critical infrastructure in their sights, [means] we as a community must move quickly on all fronts to strengthen the cyber security culture for the entire industry.”
First reported in December 2017, the TRITON attack against a petrochemical processing plant in the Middle East had the potential to compromise the facility’s Triconex Safety Instrumented System (SIS) from Schneider Electric. Fortunately, the Tricon system detected an anomaly and behaved as it was supposed to, by taking the plant to a safe state via a shutdown. TRITON is considered a milestone industrial cyber attack because it was the first to directly interact with, and control a safety system, raising the risk that a cyber attack could lead to unpredictable and dangerous industrial plant conditions.
“It’s important to recognize that Triton-type attacks can be made against any industrial control and safety system anywhere in the world, no matter who designed, engineered, built or operates it,” said Nathalie Marcotte, Senior Vice President, Industry Services and Cybersecurity, Schneider Electric. “No single entity can solve this global issue; rather, end users, third-party suppliers, integrators, standards bodies, industry groups and government agencies must work together to help the global manufacturing industry withstand cyber attacks and protect the world’s most critical operations and the people and communities we all serve.”
Read a white paper on this issue: TRITON: The First ICS Cyberattack on Safety Instrument Systems (PDF).