2.2.3 New ICS Attack Framework “TRITON”
In the middle of November 2017, the Dragos, Inc. team found malware tailor-made for ICSs and identified it as TRISIS (referred to as TRITON in this document) because it fixed it gaze on Schneider Electric’s Triconex safety instrumented system (SIS), enabling the replacement of logic in final control elements.
TRITON is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. Importantly, the malware leverages no inherent vulnerability in products from Schneider Electric. However, this capability, methodology, and tradecraft in this very specific event may now be replicated by other adversaries and thus represents an addition to threat models of industrial asset owners and operators.
The attacker first gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check, resulting in an MP diagnostic failure message. Also, TRITON was found in this investigation.
The attacker intended to cause a consequence of physical damage in the long run. Based on such a fact, the attacker initially gained a sound foothold on the DCS and already had the capability of manipulating the process or shutting down the factory. Upon intrusion into the DCS and SIS system, the attacker could do damage to physical devices to the maximum extent possible.
To be continued.