First cyber attack on unguarded SIS reported

Jan. 16, 2018
Schneider Electric confirms FireEye, Dragos blog posts about Triton malware attack on isolated user's Triconex safety controller at critical infrastruture facility in the Middle East

One of the first—if not the first—documented cyber attacks on a safety instrumented system (SIS) was reported on Dec. 14 by the FireEye and Dragos  blogs, which each released reports about the incident. Their news was acknowledged the same day by Schneider Electric, which supplied the equipment and software affected.

Named either Triton, Trisis or HatMan, this malware reportedly gained remote access to an SIS engineering workstation running Schneider Electric's Triconex safety system at a critical infrastructure facility in the Middle East, and sought to reprogram its SIS controllers. Though the malware doesn't use any inherent vulnerability in Schneider Electric's devices, the malware's intrusion was possible because the user's equipment had allegedly been left in "program" mode, instead of being switched to "run" mode that wouldn't have allowed reprogramming. However, a subsequent mistake by the malware was detected by the SIS, which triggered a safe shutdown of the application.

"It appears the attacker had access to the safety control system and developed its malware over several weeks," says Andrew Kling, director of cybersecurity and architecture at Schneider Electric. "On Aug. 4, there was a mistake in the malware that was picked up by the Tricon equipment. As a result, the safety instrumented system took the process to a safe state and tripped the plant."


Kling reports that Schneider Electric learned its customer's safety system was affected within a few hours, and has been investigating it along with the user's security team, FireEye, and the U.S. Dept. of Homeland Security (DHS). Reports of the incident went mainstream when FireEye and Dragos posted news about it on Dec. 14 on their blogs.

"It's likely a plant shutdown wasn't the intended result of the malware," explains Kling. "It’s clear that this was a specific attack against a specific site, and not viral or weaponized. Had the plant not tripped, it’s likely the malware would have gone unnoticed.” 

Consequently, Kling stressed it's important for process control users not to overreact in response to the Triton attack, and instead make sure their cybersecurity programs are up to date and sufficient to meet existing threats. "As reported by FireEye and Dragos, a series of missteps by the Triconex user enabled this attack to happen," says Kling. "For example, the SIS was connected to the network demilitarized zone (DMZ) at the enterprise level, and that enabled access to the SIS. The attackers were able to break into a Microsoft Windows workstation where Triconex and the SIS model were located, and probably most significantly, the Tricon’s memory protection functions (a physical key on the front panel) had been left in program mode, which allowed the Tricon’s memory to be altered by the attackers."

Kling describes Schneider Electric's short-, medium- and long-term mitigation strategies for cybersecurity incidents:

• Short-term consists of recommending that users follow standard and documented security practices, which include putting memory switches on the front of their Tricon units in run mode when not actively being programmed, which will protect their memory from intentioanl or accidental writes, and then removing and securing the key.

• Medium-term advice is that users consider doing a site assessment, and develop an updated cybersecurity plan. Kling states, “The security plan should be part of any company’s risk management plan. A regular review of the site and plan is a best practice.”

• Long-term involves Schneider Electric and its users jointly working with DHS and other security professionals to develop more and better protections against these and other cybersecurity threats and attacks.

"The problems highlighted by this one incident are not peculiar to Triconex and represent an opportunity for the industry to reflect upon the strategies we use to protect our plants,” explains Kling. "We're not trying to sweep any of this under the rug. This is a very public effort, and we want open communications to get information out to everyone, so the whole cybersecurity community can help solve these challenges.”