Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Privacy

Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment (securityweek.com) 30

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.
This discussion has been archived. No new comments can be posted.

Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment

Comments Filter:
  • by Anonymous Coward

    Why not employ a PROM (programmable read only memory as much as you can. These guys ignore other instructions and follow the routine that was put into them.

  • kids eat all the candy left in front of them...

    moral... don't be an idiot

  • The US government did the same type of thing with STUXNET so obviously it’s totally ok.

    • Re:Don’t worry (Score:4, Informative)

      by nnull ( 1148259 ) on Friday December 15, 2017 @02:06AM (#55744049)

      It's not like you have to do much. Most of these manufacturers don't care about security, because it's additional costs. You'd be surprised how many machines out there are just openly connected to the internet, because ooo wow, we made a phone app so you can see how your production is going, but you have to open port xxx on your firewall. When I tell these guys no, they all go into a fury and try to talk down to me like a child (At least most American machine manufacturers do).

      When I ask for encryption and security precautions from manufacturers, they just look at me funny and think I'm crazy. If you think I'm joking, just scan through a bunch of IP's and enjoy how many high tech equipment is just out there in the open where you can just completely obliterate someones manufacturing process. It's not like it hasn't happened before, you know. Knowledge of SCADA systems? What the hell for? Most of these idiots run some unsecured remote access, so you can easily press buttons like you're there. My favorite latest thing these guys do now is install TeamViewer on these machines (Free version of course, surprised TeamViewer hasn't gone after these people for using it for commercial use, big name manufacturers too that I can easily name), with some social engineering, you can easily get the Teamviewer ID and password. Nobody ever changes it, like, ever. These are "Professionals" doing this on a daily basis by the way.

      What I quite hate is how after these places get hacked, they claim the hacker is some sort of genius, that meticulously planned this attack, when all he did was login to the PLC or some Windows based Operator console and messed with the whole thing.

      • Re:Don’t worry (Score:4, Informative)

        by thegarbz ( 1787294 ) on Friday December 15, 2017 @04:22AM (#55744277)

        This is actually quite interesting. It looks like the remote access was to the engineering workstation which by its very nature needs to be networked with the control system. This doesn't sound like some vendor's bullshit idea but rather that the plant engineers had no idea what they were doing. Also since this is an SIS system, there's no reason for it to require a remote access and any of your talk on fancy apps and what not doesn't really apply.

        There are far more interesting things under here as well, either:
        a) write access was enabled via the keyswitch on the Tricon chassis which is a really stupid thing to do permanently, or
        b) far worse: the keyswitch doesn't prevent writing to the program space and is just a trigger for the software not to proceed. This would be a huge failing, one that would likely get TÜV to strip their certification against the IEC standard for this.

        Watching keenly. We've got these systems everywhere.

        • by thomst ( 1640045 )
          Mod parent +1 Informative, please. This is exactly the kind of post /. needs more of ...
        • Replying to self with more information.

          Triconex systems have a physical keyswitch on chassis 1 which is by default setup to allow 4 states: Run, Remote, Program, and Stop. Remote in this case allows writing modbus values to the system over the network and prevents all memory access. Program allows writing over the running program memory.

          Based on the analysis by Dragos https://dragos.com/blog/trisis... [dragos.com] it would appear the customer was running with the switch permanently in program mode and the attacker got i

        • by nnull ( 1148259 )

          I agree, this is an SIS system, there is no reason to require remote access to any of these devices or my fancy talk of apps, but YET THEY DO! Just look at Phoenix Contact, they offer bluetooth, NFS, and online connectivity, for what? ABB with their speed drives offer complete connectivity with the drive and changing parameters for their safety cards and they advertise it openly with remote access! Then you have all these brand new safety devices that have ethernet/IP or Profinet, with complete full access

          • Then you have all these brand new safety devices that have ethernet/IP or Profinet, with complete full access to the device.

            Wow there tiger. All systems need some kind of ethernet / IP link for communication, even if it's just for the initial config. "Remote" is hardly considered "across the internet" In most cases where the vendors advertise "remote" they basically mean no longer dragging a laptop to the device to plug into the serial port on the front.

            Remote configuration is a must, just that "remote" in this case is from 2 rooms away via a closed network.

            I doubt they will lose any certifications over this. There is nothing in either the IEC standard, UL or NFPA standards against this.

            Read my second reply to myself. In this case it turns out the attack was

            • by nnull ( 1148259 )

              Wow there tiger. All systems need some kind of ethernet / IP link for communication, even if it's just for the initial config. "Remote" is hardly considered "across the internet" In most cases where the vendors advertise "remote" they basically mean no longer dragging a laptop to the device to plug into the serial port on the front.

              Remote configuration is a must, just that "remote" in this case is from 2 rooms away via a closed network.

              This is generally true and I understand the intentions of what the de

              • That is true and I see this as vendors try to push equipment as a service rather a thing. That is mostly driven by customers who lack the expertise and yet want more reliability out of equipment. Easy for a large refinery or chemical plant as they will have dedicated reliability teams monitoring rotating equipment with state of the art instrumentation. However some small remote gas compression station, or in other struggling industries the vendors have come up with some cloud based service with remote exper

      • by thomst ( 1640045 )
        Mod parent +1 Informative, please ...
    • I do worry. Stuxnet targeted a PLC / control system in an attempt to push product off spec.

      This was an attack on a Safety Instrumented System which implies that it was an attempt to really blow something up.

      I also worry further because while the Siemens S7 / Stuxnet was an inside job delivered via USB key, this here talks about remote access to an engineering station which implies a whole new level of incompetence on a far more important system.

  • It seems like everyone just trusts each other at that level. Also, does it matter? Everything should be encrypted anyway, redirecting traffic should be expected if not by States, somewhere else on the line.

You can tune a piano, but you can't tuna fish. You can tune a filesystem, but you can't tuna fish. -- from the tunefs(8) man page

Working...