noun_Email_707352 noun_917542_cc Map point Play Untitled Retweet Group 3 Fill 1

The genie is out of the bottle – now what?

The current state of ICS malware, and what can be done about it

Timo Ahomäki / January 23, 2018

In December 2017, an industrial facility with a critical infrastructure operator in the Middle East experienced an unusual emergency shutdown event. Unusual in the sense that the event was not the result of an out-of-range sensor reading, faulty equipment or a runaway process. Instead, the shutdown was prompted by an incident with Industrial Control System (ICS) malware.

Last week, on the 18th of January, 2018, Schneider Electric, the manufacturer of the impacted system, publicly released an analysis of the vulnerability that made this attack possible.

Like most known malware targeting ICS, this malware, called Trisis (or Triton), is developed to attack a specific system. In this case, the Triconex Industrial Safety Instrumented System (SIS). Trisis infects its target by first implanting itself into the engineering workstations of the targeted facility, and from there attempts to deploy malware in the safety system itself. In this case, this triggered a failsafe shutdown of the plant. But it could have been worse. Trisis has the potential to inflict significant physical damage by preventing a controlled shutdown.

In the immediate aftermath of the event, several security researchers began to analyse Trisis. Unfortunately, in the heat of the moment, the actual malware sample was mistakenly released to the Internet, prompting Schneider Electric competitor ABB to release a Cyber Security Notification, in which they noted that while Trisis specifically is not a risk to other systems, "a conceptually similar attack can be leveraged against any safety system with a sufficiently similar design concept".

While all this may sound very scary, it has to be noted that not only does an ICS attack require a dedicated malware implant, but it also requires a very sophisticated operation to actually deploy the malware to a closed industrial system. As such, this type of an attack can today be considered a rare event, within reach mainly of nation-state level actors.

However, with Trisis now publicly available for everyone to research, we can expect the adversaries to rapidly evolve the concept.

How to prevent this type of an attack?

With the genie now out of the bottle, and with no way of getting it back in, it is time we have a look at what can be done to prevent this type of an attack.

ABB, in their Cyber Security Notice on Trisis, lists three generic recommendations, closely echoing what Tieto also recommends to our customers running ICS:

  1. Networks used for ICS should always be segmented from enterprise and public networks. Additionally, Tieto recommends to actively monitor all critical networks for anomalies, as implants can be placed via physical access to air-gapped systems
  2. Always install vendor validated patches to all engineering systems. Additionally, deploying solutions like Application Control to prevent all but specifically approved binaries from executing in these systems will add another layer of protection.
  3. Maintain up-to-date endpoint security solutions in all engineering systems.

Additionally, a host-based Intrusion Detection System is effective against many types of attacks, while not risking the integrity of the control network.
Outside the ICS domain, the importance of a solid Identity and Access Management (IAM) solution cannot be emphasized enough. Especially in environments where subcontractors are extensively used for maintenance operations, a solid IAM regime is the only way to maintain granular control of both physical and network access.

No technical solution, however, is effective against all threat scenarios in all environments. For this reason, Tieto recommends ICS operators to perform regular risk assessments and security process reviews in order to stay vigilant in the face of the changing environment. For in the end, security is built as a combination of technology, processes and employees who are aware of and alert to any anomalies in their working environment.

Tieto Security Services recently added significant security consulting power to our offering. Get in touch with us to discuss how we can help you with a security and risk assessment.

PS. If Finnish is your language, we warmly invite you to watch our free webinar "Miksi tietoturva on valmistavalle teollisuudelle kriittisen tärkeää?"

Timo Ahomäki
Tieto alumni

Timo Ahomäki has over 20 years of international portfolio development experience in telecom and cyber security industries. Before joining Tieto, Timo was the CTO for an international software company specializing in telecom Operations and Business Support infrastructure.

Share on Facebook Tweet Share on LinkedIn