The current state of ICS malware, and what can be done about it
Last week, on the 18th of January, 2018, Schneider Electric, the manufacturer of the impacted system, publicly released an analysis of the vulnerability that made this attack possible.
Like most known malware targeting ICS, this malware, called Trisis (or Triton), is developed to attack a specific system. In this case, the Triconex Industrial Safety Instrumented System (SIS). Trisis infects its target by first implanting itself into the engineering workstations of the targeted facility, and from there attempts to deploy malware in the safety system itself. In this case, this triggered a failsafe shutdown of the plant. But it could have been worse. Trisis has the potential to inflict significant physical damage by preventing a controlled shutdown.
In the immediate aftermath of the event, several security researchers began to analyse Trisis. Unfortunately, in the heat of the moment, the actual malware sample was mistakenly released to the Internet, prompting Schneider Electric competitor ABB to release a Cyber Security Notification, in which they noted that while Trisis specifically is not a risk to other systems, "a conceptually similar attack can be leveraged against any safety system with a sufficiently similar design concept".
While all this may sound very scary, it has to be noted that not only does an ICS attack require a dedicated malware implant, but it also requires a very sophisticated operation to actually deploy the malware to a closed industrial system. As such, this type of an attack can today be considered a rare event, within reach mainly of nation-state level actors.
However, with Trisis now publicly available for everyone to research, we can expect the adversaries to rapidly evolve the concept.
With the genie now out of the bottle, and with no way of getting it back in, it is time we have a look at what can be done to prevent this type of an attack.
ABB, in their Cyber Security Notice on Trisis, lists three generic recommendations, closely echoing what Tieto also recommends to our customers running ICS:
Additionally, a host-based Intrusion Detection System is effective against many types of attacks, while not risking the integrity of the control network.
Outside the ICS domain, the importance of a solid Identity and Access Management (IAM) solution cannot be emphasized enough. Especially in environments where subcontractors are extensively used for maintenance operations, a solid IAM regime is the only way to maintain granular control of both physical and network access.
No technical solution, however, is effective against all threat scenarios in all environments. For this reason, Tieto recommends ICS operators to perform regular risk assessments and security process reviews in order to stay vigilant in the face of the changing environment. For in the end, security is built as a combination of technology, processes and employees who are aware of and alert to any anomalies in their working environment.
Tieto Security Services recently added significant security consulting power to our offering. Get in touch with us to discuss how we can help you with a security and risk assessment.
PS. If Finnish is your language, we warmly invite you to watch our free webinar "Miksi tietoturva on valmistavalle teollisuudelle kriittisen tärkeää?"