Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment (securityweek.com) 30
wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.
Re: (Score:2)
Why the hell do people have their critical infrastructure on networks which aren't isolated and locked down?
Lets blame the victim for not locking the door, not the burglar eh? The better question is how sick in the head do you have to be to even think about attacking something like this?
Re: (Score:2)
Given the level of sophistication that came out of Stuxnet showed that it was state sponsored, I'd say about as sick in the head as any modern government or military.
Now I'm going to hide before a USA drone drops a missile in my livingroom without due process. Wouldn't be the first time.
Use some old school technology (Score:1)
Why not employ a PROM (programmable read only memory as much as you can. These guys ignore other instructions and follow the routine that was put into them.
in other news (Score:2)
kids eat all the candy left in front of them...
moral... don't be an idiot
Re: (Score:2)
It's OK, I thought they were talking about Rob Schneider... and I really don't want to see him designing safety systems for critical infrastructure!
Don’t worry (Score:2)
The US government did the same type of thing with STUXNET so obviously it’s totally ok.
Re:Don’t worry (Score:4, Informative)
It's not like you have to do much. Most of these manufacturers don't care about security, because it's additional costs. You'd be surprised how many machines out there are just openly connected to the internet, because ooo wow, we made a phone app so you can see how your production is going, but you have to open port xxx on your firewall. When I tell these guys no, they all go into a fury and try to talk down to me like a child (At least most American machine manufacturers do).
When I ask for encryption and security precautions from manufacturers, they just look at me funny and think I'm crazy. If you think I'm joking, just scan through a bunch of IP's and enjoy how many high tech equipment is just out there in the open where you can just completely obliterate someones manufacturing process. It's not like it hasn't happened before, you know. Knowledge of SCADA systems? What the hell for? Most of these idiots run some unsecured remote access, so you can easily press buttons like you're there. My favorite latest thing these guys do now is install TeamViewer on these machines (Free version of course, surprised TeamViewer hasn't gone after these people for using it for commercial use, big name manufacturers too that I can easily name), with some social engineering, you can easily get the Teamviewer ID and password. Nobody ever changes it, like, ever. These are "Professionals" doing this on a daily basis by the way.
What I quite hate is how after these places get hacked, they claim the hacker is some sort of genius, that meticulously planned this attack, when all he did was login to the PLC or some Windows based Operator console and messed with the whole thing.
Re:Don’t worry (Score:4, Informative)
This is actually quite interesting. It looks like the remote access was to the engineering workstation which by its very nature needs to be networked with the control system. This doesn't sound like some vendor's bullshit idea but rather that the plant engineers had no idea what they were doing. Also since this is an SIS system, there's no reason for it to require a remote access and any of your talk on fancy apps and what not doesn't really apply.
There are far more interesting things under here as well, either:
a) write access was enabled via the keyswitch on the Tricon chassis which is a really stupid thing to do permanently, or
b) far worse: the keyswitch doesn't prevent writing to the program space and is just a trigger for the software not to proceed. This would be a huge failing, one that would likely get TÜV to strip their certification against the IEC standard for this.
Watching keenly. We've got these systems everywhere.
Re: (Score:2)
Re: (Score:3)
Replying to self with more information.
Triconex systems have a physical keyswitch on chassis 1 which is by default setup to allow 4 states: Run, Remote, Program, and Stop. Remote in this case allows writing modbus values to the system over the network and prevents all memory access. Program allows writing over the running program memory.
Based on the analysis by Dragos https://dragos.com/blog/trisis... [dragos.com] it would appear the customer was running with the switch permanently in program mode and the attacker got i
Re: (Score:2)
I agree, this is an SIS system, there is no reason to require remote access to any of these devices or my fancy talk of apps, but YET THEY DO! Just look at Phoenix Contact, they offer bluetooth, NFS, and online connectivity, for what? ABB with their speed drives offer complete connectivity with the drive and changing parameters for their safety cards and they advertise it openly with remote access! Then you have all these brand new safety devices that have ethernet/IP or Profinet, with complete full access
Re: (Score:2)
Then you have all these brand new safety devices that have ethernet/IP or Profinet, with complete full access to the device.
Wow there tiger. All systems need some kind of ethernet / IP link for communication, even if it's just for the initial config. "Remote" is hardly considered "across the internet" In most cases where the vendors advertise "remote" they basically mean no longer dragging a laptop to the device to plug into the serial port on the front.
Remote configuration is a must, just that "remote" in this case is from 2 rooms away via a closed network.
I doubt they will lose any certifications over this. There is nothing in either the IEC standard, UL or NFPA standards against this.
Read my second reply to myself. In this case it turns out the attack was
Re: (Score:2)
Wow there tiger. All systems need some kind of ethernet / IP link for communication, even if it's just for the initial config. "Remote" is hardly considered "across the internet" In most cases where the vendors advertise "remote" they basically mean no longer dragging a laptop to the device to plug into the serial port on the front.
Remote configuration is a must, just that "remote" in this case is from 2 rooms away via a closed network.
This is generally true and I understand the intentions of what the de
Re: (Score:2)
That is true and I see this as vendors try to push equipment as a service rather a thing. That is mostly driven by customers who lack the expertise and yet want more reliability out of equipment. Easy for a large refinery or chemical plant as they will have dedicated reliability teams monitoring rotating equipment with state of the art instrumentation. However some small remote gas compression station, or in other struggling industries the vendors have come up with some cloud based service with remote exper
Re: (Score:2)
Re: (Score:2)
I do worry. Stuxnet targeted a PLC / control system in an attempt to push product off spec.
This was an attack on a Safety Instrumented System which implies that it was an attempt to really blow something up.
I also worry further because while the Siemens S7 / Stuxnet was an inside job delivered via USB key, this here talks about remote access to an engineering station which implies a whole new level of incompetence on a far more important system.
How long will we trust BGP? (Score:2)
It seems like everyone just trusts each other at that level. Also, does it matter? Everything should be encrypted anyway, redirecting traffic should be expected if not by States, somewhere else on the line.