Cyber Attack Hits Safety System in Critical Infrastructure



Published on : 05 Jan , 2018


Introduction


ICT systems and controls will keep you safe. Aeroplanes, Railways, Nuclear power stations and other vital infrastructure, all have one thing in common: they are ‘safety critical’. In other words, the consequences of a malfunction could be disastrous. Safety System pick up sudden deceleration to complex algorithms and real-time data mining techniques that spot the first signature of a problem from within vast quantities of complex monitoring data and predict solution. We now live in an age where the safety of citizens and the smooth running of our economies are under constant threat from terrorism, natural disaster and the long-term effects of climate change. NCIIPC takes the protection of its citizens and critical infrastructure extremely seriously, while respecting privacy and personal data.

Strategies followed by Attackers to exploit Safety Instrumented System (SIS)


Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents. They are targeting systems which are critical for national security, economy and health of citizen. Cyber terrorists could do tremendous damage if they wanted to, ranging from taking control of water treatment facilities to shutting down power generation plants to causing havoc with air traffic control systems and all of these systems are extremely vulnerable to attack. Malicious actors have been penetrating the computer networks of companies that operate nuclear power stations, other energy facilities, and manufacturing plants. The threat is growing exponentially and could easily spin out of control. The malware referred to as Triton is significant to impact on CII’s because it is not only part of an increasing focus of attacks on industrial control systems (ICSs), but it is the first to directly target a safety instrumented system (SIS). Specifically, the attack targeted the facility’s Triconex safety system from Schneider Electric, which responded appropriately by shutting down operations. The attacker gained remote access to an SIS engineering workstation in the facility, and deployed the Triton attack framework to reprogram the SIS controllers. Some of the SIS controllers entered a failed safe state, which automatically shut down the industrial process. These SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check. In recent years, numerous forms of malware targeting SCADA systems have been identified, including Stuxnet, Havex, Triconex, and BlackEnergy3. What these three forms of malware have in common is their ability to sneak through Industrial Control Systems (ICS) undetected by exploiting the weakest link in the cyber defence network (people) and posing as a legitimate e-mail or by finding a back door in the SCADA system.

Motivation of attackers


All signs point to this cyber attack being sponsored by a nation state. The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor. Cyber attacks on the industrial sector are likely to be the next generation of stealth weapons, and the attacks we’ve been seeing recently are serious actors testing their weapons. Although the attack is not highly scalable, the tradecraft displayed is now available as a blueprint to other adversaries looking at target SIS and represents an escalation in the type of attacks seen till date as it is specifically designed to target the safety function of the process. It is positive that if the APT [advanced persistent threat] actor is in this facility, they’re elsewhere, and they’re conducting the same kind of recon to learn how to cause a litany of ill effects, and keep their presence unknown. The Triton (aka Trisis) malware attack underscores the capabilities that attackers have acquired and the fact that traditional security controls namely air gapping and security by obscurity are no longer sufficiently effective.

Recommendations


A key message for critical infrastructures or any type of manufacturing facility, for that matter is to be ever vigilant in cyber defences.
We recommend specific practices for safety systems to defend against such attacks:


References: