At first, technicians at multinational energy giant Schneider Electric thought they were looking at the everyday software used to manage equipment inside nuclear and petroleum plants around the world. They had no idea that the code carried the most dangerous industrial malware on the planet. More than four months have passed since a novel, highly sophisticated piece of malware forced an.
The 11thAnnualS4x18conference is in the books! It was cooler in Miami than we all had hoped for, butDalePeterson, Liz Daley and the S4 presenters had some hot content to share with their peers in the ICS community. There were far too many cool things happening at S4 to cover them all – great content, thoughtful discussions, lively debates on and off the stage and comradery for a boat load of people with a shared mission–protecting the critical control systems we rely on every day.
Dale’s keynote and his “try it” challenge set the tone. He asked an auditorium full of ICS veterans–some more jaded than others–to believe, at least for 4 days in South Beach, that we could make real and sustained improvements in ICS cybersecurity. And, if possible, keep that newfound spring in our step with us after the show. Mission accomplished! We’re in!
A few highlights from Claroty’s perspective include:
Schneider Electric Takes the High Road with Triton
Quite likely the most long-term impactful revelation was Schneider Electric (SE) sharing details of the Triton malware used to attack a Triconex safety system. SE decided to deal with this attack head-on and to discuss details publically. Claroty and the rest of the industry loudly applauded their forthcoming approach. Other industrial vendors will have to contend with attacks on their systems and we trust that Schneider Electric’s example will provide a roadmap for these unfortunate but likely events moving forward – kudos to the SE team!!
Paul Forney and Andrew Kling from Schneider Electric shared the results of their malware analysis work–their teams have been working around the clock for months, tearing apart the malware and understanding exactly how it works so they can protect customers. In addition to sharing details abouthow the malware workson stage, the two announced that SE had developed a tool customers can use to detect the presence of Triton.
Paul and Andy gave Claroty a nice shout out, with Paul noting “Claroty has an impressive ability to detect Triton Triconex malware on the wire.” Claroty’s Threat Detection recognized the Triton-based attack out of the box, issuing a high-priority suspicious configuration download alert.
Paul also noted jokingly, that Claroty was “bugging them every day” with our findings. We have had a Triconex system on our lab since early 2017 and supported the protocol in our platform since May. The Claroty Research team shared our malware analysis and lab test findings directly with the Schneider team through the ongoing event.
The Triton episode was not without its issues. For example, some security vendors jumped the gun with less-than-well-coordinated public releases, so there are some “lessons-learned” that should be discussed before the next attack. Stay tuned.
![Electric Electric](/uploads/1/2/3/7/123747948/195826472.png)
Drive By Shootings – PCAP Style
Where else but S4 can you have a super-technical drive-by shooting? We love it! At S4x17 we had a lively discussion/debate with Joel Langill (A.K.A. SCADAHacker) about the intricacies of analyzing and baselining various complex protocols. During the S4x18 Cabana Sessions Joel dropped by for a “spot challenge”–dropping a PCAP with traffic from the notoriously tricky Honeywell DCS systems on the Claroty Team. We were up to Joel’s challenge and in a few minutes our Claroty Continuous Threat Detection system was ingesting the data and detailing the system.
CTF – Claroty Team Takes 2nd Place in Their Spare Time
In their not-so-copious spare time away from the ICS Detection Challenge, some of our Research Team worked the S4 Capture the Flag (CTF) competition. They just can’t get enough! We teamed up with Mike Garcia a cybersecurity expert from the energy sector–adding additional firepower to our team and took second place in the competition!
If you weren’t already familiar with Digital Bond’s annual S4 ICS security conference, this should give you a bit of the flavor. Companies with serious interest in the current best practices and forward-leaning examples from companies on the journey should consider sending their teams responsible for ICS security to S4x19.
Written by
Engineers and others responding to malware that hit a Saudi Arabia petrochemical plant in June 2017 missed a key opportunity to prevent the plant from shutting down a second time in August that year, an investigator of the incident said Tuesday.
“The scope of the initial outage investigation that occurred in June [2017] was insufficient,” Julian Gutmanis, an industrial cybersecurity specialist who responded to the second outage, said Tuesday at the 2019 S4 Conference. “It really was a missed opportunity to identify the attackers and prevent the subsequent outage in August [2017].”
The investigation of the June 2017 outage, which struck on a Saturday evening when the plant was manned by a skeleton crew, included a mechanical and engineering analysis, but not a cybersecurity one, Gutmanis said. The incident was ruled a malfunction, rather than an attack, and normal operations at the plant were restored. Two months later, the hackers were again rooting around the plant’s operational technology (OT) network, this time hampering six controllers instead of one. Both outages lasted about a week, Gutmanis said, bringing significant costs to the plant in lost production.
The disruption of the Saudi plant was caused by the infamous malware known as Trisis or Triton, which has alarmed industrial control system (ICS) experts since it surfaced because of its potential to cause physical harm. The malware was designed to infiltrate the safety instrumented systems that allow industrial plants to safely shut down, specifically a Triconex model made by energy software giant Schneider Electric.
Gutmanis offered one of the most detailed public accounts of the disturbance at the Saudi plant, including a charge that the vendor of the hacked software failed to communicate information about the attack with incident responders.
Gutmanis told CyberScoop that when he heard about the August outage and he was called to investigate it, the possibility of an explosion occurring at the plant was on his mind. “That was pretty hairy,” he said.
“When I actually found the attack tools on that engineering workstation, that gave me [the] shivers,” the Australian added.
Gutmanis told the S4 audience that his team had to carefully reconstruct what took place at the plant.
“When we went on site, it was really a black box,” Gutmanis said. “We didn’t know the organization, we don’t know the architecture, we didn’t know the people.”
And so investigators interviewed plant employees to gather information, and initially did not rule out the possibility of an insider threat. But signs started pointing to an outsider attacker, and investigators caught a break when the hackers got sloppy.
“The attackers got somewhat complacent because they had been in the environment for a long time, and left tools on the system,” Gutmanis said. Investigators also feared that a follow-on hack could be imminent – something akin to the Shamoon data-wiping attack that occurred in 2012.
On paper, the plant had a secure architecture, Gutmanis said, but that security started to crumble at a poorly configured boundary that separates a plant’s IT and OT networks. As a result, the hackers were able to pivot from one network to the other, he said.
![Triconex Triconex](https://blog.schneider-electric.com/wp-content/uploads/2018/08/Triton-Infographic-Final.jpg)
Investigators found malware at the plant unrelated to the Trisis incident that Gutmanis said had been there for years.
A threat group on the move
Schneider Electric executives won praise from the ICS community for presenting what they learned from Trisis at last year’s S4 Conference. However, Gutmanis said the 2018 presentation was the first time he heard about Schneider Electric’s analysis of the attack tools.
The company was initially communicative with incident responders but then failed to inform them of the detection tool for the attack that they were publicly releasing, Gutmanis said.
“[Schneider Electric] promised us on multiple occasions to respond to us and give us information about what was occurring,” Gutmanis told CyberScoop. “However, they didn’t even tell us that they were going to present [at S4 in 2018].”
In a statement to CyberScoop, Schneider Electric said that it sent an engineer to the plant within four hours of support being requested and that Schneider’s on-site experts conducted an analysis of the incident.
“Once they determined the incident to be cybersecurity-related, they turned the investigation over to the end-user, who hired FireEye for attack eviction and site remediation,” Schneider Electric said. “FireEye worked directly with the end-user, and at the end-user’s request, Schneider Electric communicated only with FireEye. At every step, we have cooperated fully with the end-user, FireEye and the U.S. Department of Homeland Security, with coordination from the U.S. Federal Bureau of Investigation. We continue to be open and transparent about the incident to learn from Triton and help the broader goal of worldwide cyberattack prevention.”
As ICS professionals continue to study Trisis, the group behind the malware has been restless. Months after it struck the Saudi petrochemical plant, researchers reported that the group had expanded its operations beyond the Middle East to target U.S. companies. Last October, cybersecurity company FireEye said a Russian government-owned research institute very likely helped build tools used by the hacking group. That attribution didn’t extend to the Trisis malware itself, rather to other hacking tools used by the group.
There has been speculation within the ICS industry that the Saudi petrochemical plant was just a testing ground for future attacks.
“If that’s the case, I’m sure that they’re making more…advanced tools to impact these systems,” Gutmanis told CyberScoop.
UPDATE, 01/16/19, 12:37 a.m. EDT:This story has been updated with a statement from Schneider Electric.