Mandiant, a subsidiary of FireEye has discovered that some state-sponsored actors launched a cyber attack on Triconex Industrial Control Systems offered by Schneider Electric SE. The malware used in the attack is said to be ‘Triton’ a predecessor of Stuxnet malware exploited to shut down power grids of Iran in 2010 and Ukraine in 2016.
According to the FireEye researchers, TRITON is an attack framework devised to disrupt the services of Triconex Safety Instrumented System (SIS) controllers and is said to have the potential to prevent safety mechanisms from executing their intended function, resulting in a physical consequence.
Schneider Electric confirmed the incident and said that it has sent an email alert to all Triconex users, which as per the cybersecurity experts is used in the industries handling critical infrastructures like the nuclear facilities, oil, and gas.
The best part of this whole incident is that the affected SIS controllers entered into a safe mode automatically shutting down the industrial processes and alerting the asset owner to initiate an investigation. It was later found in the investigation that the SIS controllers where shut down when the application code between redundant processing units failed a validation check- resulting in a Multi-Processing(MP) Diagnostic Failure Message.
FireEye attributes the incident to an activity launched by a state-sponsored actor. But for obvious reasons, it is not willing to reveal the details of the actor and the victimized company.
Furthermore, FireEye has issued the following tips for asset owners who wish to defend themselves against such attacks.
1.) Leverage hardware features that offer physical control of the ability of program safety controllers which are usually in the form of switches controlled by the physical key.
2.) Audit current key state on a regular note and implement change management procedures for changes to key positions.
3.) It is better to segregate safety system networks from process control and information system networks in a technical manner.
4.) Better to use a unidirectional gateway rather than bidirectional network connections for all or any applications that depend on the data provided by the SIS.
5.) Implement strict access control and application whitelisting on any server or workstation endpoints that can connect to the SIS systems via TCP/IP.
6.) Keep a track of network traffic for unexpected communication flows and other anomalous activity.
A reader of Cybersecurity Insiders has notified us that the victim is Saudi Arabia’s National Oil Company ‘Aramco’. But officials from the Saudi based oil company are yet to confirm these details.