Share this post

🔑 Key Takeaways

  1. Companies should prioritize the safety of their OT systems by adopting reliable and resilient safety instrumented systems like Schneider Electric's Triconex to prevent accidents caused by cyber threats, changing workforce, and complacency.
  2. Regular inspection, limiting network access, and following proper protocol can prevent malfunctions and unauthorized changes to safety controllers, ensuring safety measures are functional and preventing potential disasters.
  3. Proper incident response by skilled responders is crucial to preventing catastrophic results. Immediate on-site response is necessary to identify and mitigate security threats, and interview all involved parties to gather valuable information.
  4. Analyzing controllers and investigating inside/outside parties with special attention to unusual files is crucial when investigating plant shutdowns, even in hazardous environments.
  5. Having a strong incident response plan and taking necessary actions to safeguard the plant and its employees from potential dangers is essential in ensuring plant cybersecurity. The use of network equipment with good logging can help in collecting valuable insights during the response process.
  6. The discovery of advanced malware on an engineering workstation in a petrochemical facility highlights the need for securing such workstations from remote attacks and the importance of proactive measures for threat detection and prevention in industrial control systems.
  7. The Triton malware can cause severe damage to industrial plants by instructing valves to operate unsafely, disabling safety systems, and ignoring emergency shutdowns, posing a significant risk to both safety and finances.
  8. Cyber-attacks on safety systems in industrial plants have severe physical consequences and potential human casualties. International regulations are needed to prevent such attacks, as they are complex, time-consuming, and require high-level expertise.
  9. The discovery of TRISIS highlights the importance of industrial security, a separate discipline from IT security, with tailored best practices to protect against targeted threats to industrial control systems.
  10. Research institutions with departments related to advanced informatics and critical infrastructure security can build cyber capabilities and cybersecurity is a community effort where sharing threat information is key.
  11. The Triton Attack, carried out by a state actor, highlights the need for advanced attack infrastructure and track-covering measures to prevent future attacks on key industrial networks and safety systems.
  12. Attribution in cyber-attacks requires multiple factors and high confidence levels, which can be challenging in the private sector. Geo-political considerations like intelligence agencies, allies, and vendors must be taken into account.
  13. Analyzing clustered intrusions is a powerful technique to deter threat actors and provide better defense recommendations. The latest threat activity, Xenotime, poses a serious risk by targeting human life and disrupting oil and gas infrastructure, making it imperative to use effective defense strategies.
  14. The Triconex attack serves as a blueprint for future attacks on industrial control systems, making it crucial for companies to have precautionary measures in place to prevent and detect these types of attacks. Publicizing good work and creating better regulations is key.
  15. Governments should conduct high-confidence assessment on cyber attacks like Triton, hold states accountable, and take these attacks off the table to prevent disruption of human life and infrastructure.

📝 Podcast Summary

Importance of Reliable Safety Instrumented Systems in Preventing Accidents in OT Systems.

Data breaches can have a major impact on our lives, and we may face unique kinds of hacks that affect our daily routines. Companies must ensure the safety of their OT systems to avoid disasters or accidents. The safety instrumented systems are an essential part of controlling physical aspects like valves and pumps. Saudi Arabia's massive petrochemical plant faced a severe shutdown when its Triconex safety systems failed. The plant produced 140 million barrels of products yearly, and its components go into making everyday-use items. Safety systems like these must be reliable and resilient to avoid accidents. Cyber-criminals, changing workforce, and complacency are some of the factors modifying operational integrity. Schneider Electric's Triconex offers excellent process safety solutions for a sound and cohesive business.

Importance of Regular Maintenance and Monitoring of Safety Systems in Industrial Plants

Proper maintenance and monitoring of safety systems are crucial in preventing disaster in industrial plants. Unauthorized access to safety controllers and leaving them in program mode can cause malfunctions and shut down the plant, resulting in financial losses and safety risks. Regular inspection and action on system alerts are necessary to prevent such incidents. It is also important to limit network access to safety controllers and use secure methods of remote access. Finally, following proper protocol and not neglecting system alerts can prevent unauthorized changes and ensure safety measures are functional.

The Importance of Incident Responders in Emergency Shutdown Systems

Proper functioning of emergency shutdown systems is crucial for preventing catastrophic results. Incident responders play an important role in investigating and identifying potential security threats and taking appropriate actions. Immediate on-site response is necessary to conduct incident response and forensics to mitigate the impact of security incidents. Incident responders are always ready to travel on short notice with go-bags to conduct investigations. It is important to have a skilled team of responders to handle incidents like these and to gather information by interviewing everyone involved.

Investigating a Plant Shutdown and Identifying the Culprit

Investigating the cause of a plant shutdown requires analyzing the actual controllers and identifying any changes made. Safety controllers are embedded systems with limited functionality, making it difficult to extract programs or perform diagnostics. Integrity verification commands can be used to compare what's on the controller to what's on the system. A discrepancy in IO points was identified as the cause of the shutdown. The investigation also involved looking into whether the shutdown was caused by an insider or an outside party, and analyzing engineering workstations for potential clues. The presence of unusual files in the system, such as a Python DLL in an HP folder, indicated that something was amiss. The investigation was challenging and carried inherent risks due to working in a noisy, hot, chemically hazardous environment.

Importance of a Strong Incident Response Plan in Plant Cybersecurity

The safety controller in the sulfur recovery unit, responsible for shutting down plant operations in case of unsafe levels of H2S, had gone down due to the malware attack. Despite the risks, the management was hesitant to shut down the plant and start a thorough investigation. The incident response team finally traced the malware attack to an external party that exploited a computer inside the DMZ. The network equipment with good logging helped the response team collect valuable insights. This incident highlights how essential it is to have a strong incident response plan in place and take necessary actions to safeguard the plant and its employees from potential dangers.

Incident Response Team and the Importance of Securing Industrial Control Systems

The incident response team successfully identified the attack on the system and its source, leading to a shift in their goals from initial triage to cleanup and prevention. The discovery of advanced malware on the engineering workstation and the deletion of these files by an unknown party highlights the importance of securing engineering workstations from remote attacks. Furthermore, the wider-scale targeting campaign meant that the security of other petrochemical and oil and gas facilities within the kingdom was also at risk. The investigation led FireEye to analyze the malware, which had the potential to cause serious harm if the target emergency shutdown systems were compromised. Overall, this incident illustrates the importance of securing industrial control systems and the need for a proactive approach to threat detection and prevention.

The Triton Malware: A Threat to Industrial Plants

The Triton malware was a sophisticated program that could unleash catastrophic damage on industrial plants. The attackers had an understanding of the culture and sensitive operations of the plants, and they had a whole new level of expertise in IT and OT systems. The malware could instruct the valves to operate in an unsafe state, instruct safety systems not to shut down or even create an alert, and make the emergency shutdown system ignore unsafe operating levels. The Triton malware was a passive implant that would implant itself into the memory and wait for a certain packet to be activated. The potential damage payload associated with Triton could lead to major safety incidents and financial impacts to the plant.

The Dangers of Cyber-Attacks on Safety Systems in Industrial Plants

A cyber-attack on safety systems in industrial plants can have severe physical consequences and potential human casualties. Targeting civilian-protecting systems is off-limits and not specifically regulated. Such attacks may result in prolonged shutdowns, in turn affecting the economy. These incidents highlight the need for international regulation of such attacks. The attackers behind such malware must have unrestricted access to the systems and a high skill set to hack both IT and OT environments. It takes years to execute such an attack, and it requires knowledge and understanding of the particular safety controllers and software. Such attacks are cyber-terrorism, and the people responsible have unlimited resources and time.

TRISIS malware targets industrial safety systems, posing a threat to human life.

The TRISIS malware, also known as Triton, was discovered by the threat intelligence group within Dragos, which investigates security threats related to industrial control systems. The malware specifically targets safety systems and has the potential to compromise human life. The discovery of this malware prompted Dragos CEO Robert Lee to inform the Department of Homeland Security, as it indicated that hackers somewhere in the world had broken into a chemical plant in Saudi Arabia and had the capability to cause a major terrorist attack. The incident underscores the importance of industrial security as a separate and distinct discipline from IT security, and the need to develop specific best practices tailored to the unique mission and threats of industrial control systems.

Moscow's Central Scientific Research Institute of Chemistry and Mechanics Suspected in Cyberattack

Cybersecurity is a community effort, where companies often work together to benefit the community against adversaries. FireEye suspected that Moscow's Central Scientific Research Institute of Chemistry and Mechanics was behind the attack. Although it sounds illogical that a laboratory can build something with cyber capabilities, it isn't unusual. Such research institutions have departments related to advanced informatics and critical infrastructure security. There is evidence that some operations related to intrusions by the Triton team in known organizations were conducted from an IP address in Moscow. Cybersecurity companies like to publish threat information only when it is already going to be made public, enabling their customers and the community to stay informed.

State-Backed Attack on Industrial Networks: The Triton Attack

The Triton attack was likely carried out by a state actor as the complexity and sophistication points to a group with advanced attack infrastructure and motivation beyond financial gain. The attackers may have worked in collaboration with a research institute, possibly with Russian intelligence agencies. The attackers continued to refine and customize their attack over the years and targeted key industrial networks and safety systems. While the attackers did not hide their tracks well, attribution remains challenging. The attack can serve as a reminder for the need for proper attack infrastructure and track-covering measures to mitigate such incidents in the future.

Attribution in Cyber-Attacks is More Complex Than You Think

Attribution in cyber-attacks is significantly more difficult than people make it out to be. A high-confidence level of attribution requires many components working together. Private sector high-confidence assessments would have been low or moderate-confidence assessments in the government. Further, national critical infrastructure and cyber-attacks have a tense situation between state players, so it is necessary to be cautious when pinpointing a country. Most intelligence requirements in the private sector relate to how to do better security and prioritize things. None of those things require true attribution of the attacker. Lastly, the discussion around attribution is more nuanced at a geopolitical level than what is generally seen from a cyber-security audience. It requires considering different intelligence agencies, military agencies, allies, and vendors of capabilities.

Clustering Intrusions for Effective Defense Recommendations.

Clustering on intrusions to form a group and analyzing them is an effective tool to trap an adversary and make defense recommendations. Xenotime is the only publicly known threat that has shown both the intent and capability to target human life, making them the most dangerous threat activity. Cyber-attacks on oil and gas infrastructure can destabilize a strategic regional or non-regional adversary. This attack could help state adversaries achieve political or economic goals, delay IPOs, and cause public perception issues. Attackers could also use this as training to gain combat experience. All reasonable analysis points to a state actor targeting Saudi Arabia to disrupt a portion of their oil and gas infrastructure.

The implications of the cyber-attack on industrial control systems

The cyber-attack on the Triconex safety controllers in Saudi Arabia is a serious concern for industrial companies worldwide. The attack reveals a blueprint for achieving future attacks, making it easier for other adversaries to carry out similar attacks. The attack on industrial control systems is not about vulnerabilities or malware, but about the future potential for attackers. Companies must prepare for this style of attack and have detective, prevention, and responsive capabilities in place. Negligence in this area can be detrimental to the safety of the community. The key is to find a balance between publicizing good work happening and keeping sensitive information private. The focus should be on creating better laws and regulations to regulate such operations.

Importance of Holding States Accountable for Cyber Attacks

Governments should conduct a high-confidence assessment on cyber attacks like Triton, such attacks like Ukraine and NotPetya should be inexcusable. It is important to hold states accountable and take these style of attacks off the table using economic sanctions or others. Although state leaders may not find it important to know, technology clients need to know about the genesis of attacks to make informed decisions. It is embarrassing for nation's leadership not to understand technology in depth. Cyber attacks on operational technology are becoming more common, and they are purposeful and blatant attacks against civilians and infrastructure. The people who create such attacks may not comprehend the consequences of their actions and may even overlook the danger of disrupting human life. It is paramount to take action on cybercrimes.