Over the last week, you may have heard about the discovery of TRISIS or TRITON Industrial Control System (ICS) targeted malware.

FireEye released their report on the “New ICS Attack Framework” after Mandiant responded to an incident where an attacker deployed malware designed to manipulate the industrial safety systems at a critical infrastructure organisation.

However, the malware was in fact, first recognised by Dragos last August targeting Middle Eastern (Saudi at least) power and water management infrastructure, although their findings were not published at the time. There is no intelligence to support that there are victims outside of the Middle East at this time.

ICS targeted malware is not new, or even very unique. There have been many custom scripts and tools used previously in attempts to compromise ICS control systems, though usually these have been used in conjunction with backdoor Trojans which incorporate Remote Desktop interactive control of HMI workstations.

Both FireEye and Dragos have identified this malware as TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements.

A potential attack on SIS can have multiple implications:

Attack Scenario #1: Plant Shutdown

  • The most likely and operationally easy impact scenario from SIS manipulation or attack is a plant shutdown. The attacker can reprogram the SIS logic to cause it to trip and shut down a process that is, in actuality, in a safe state.
  • The implication, financial losses due to process downtime and complex plant startup procedure after the shutdown

Attack Scenario #2: Unsafe Physical State

  • Likely the most obvious and assumed attack scenario is creating an unsafe physical condition within the target environment by reprograming the SIS logic to allow unsafe conditions to persist, resulting in physical damage to the environment.
  • The implication, impact to human safety, the environment, or damage to equipment.

The malware in this instance was a custom development of a malicious tool to manipulate safety in systems (SIS) control software. The developers had a very limited understanding of the SIS and because each SIS is unique the process needs specific knowledge, they made mistakes.

TRISIS Malware Capabilities

ICS Cyber Kill Chain
Diagram via Dragos

TRISIS Capabilities

TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. Most importantly, the malware leverages no inherent vulnerability in Schneider Electric products.

Given its design and assessed use, TRISIS has no role or applicability to IT environments and is a focused ICS effects tool. As a result, TRISIS’ use and deployment require that an adversary has already achieved success in Stage 1 of the ICS Cyber Kill Chain and either compromised the business IT network or has identified an alternative means of accessing the ICS network. Once in position, the adversary can deploy TRISIS on its target: an SIS device.

Conclusions

TRISIS is not capable of scalable and long-term disruptions or destruction nor should there be any hype about the ability to leverage this malware all around the community, however it should be analysed fully to capture lessons learned.

While the fifth ever publicly known ICS-tailored malware, it is the first to target safety instrumented systems. SIS are specifically designed and deployed to ensure the safety of the process, environment, and human life an assault on one of these systems is bold and unsettling.