Security Experts:

The Rise of ICS Malware: How Industrial Security Threats Are Becoming More Surgical

Last December, a malware variant specifically designed to attack industrial safety systems was discovered. It was apparently used to cause an operational outage at a critical infrastructure facility in The Middle East. 

The malware targets Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and replaces the Logic of SIS controllers, an action which can prevent the safety system from functioning correctly and result in physical consequences. Therefor it was named the TRISIS malware (or TRITON).

While TRITON is not the first malware to target industrial control systems (ICS), it does signal that operational networks, which have been largely immune to cyber threats, are now in the crosshairs of attackers.

Here’s a brief history of ICS-specific malware variants discovered to date:

2010 - Stuxnet was the first malware to specifically target SCADA systems and programmable logic controllers (PLCs). It was responsible for causing substantial damage to Iran's nuclear program.

2013 - Havex, a remote access trojan (RAT), was used as part of a widespread espionage campaign targeting ICS environments across numerous industries. It scanned infected systems to locate SCADA or ICS devices on the network, and sent data back to the attackers. Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems.

2014 - BlackEnergy 2 was modified from an existing malware variant called BlackEnergy to target human-machine interface (HMI) software from a handful of vendors, including GE,   Advantech/Broadwin and Siemens. It was used in the cyber attack that took down the Ukrainian power grid in Dec 2015. 

2016 - Crash Override/Industroyer is the first known malware designed to attack electric grid systems, and was used in the Dec 2016 hack on a transmission substation in the Ukraine. It is a completely new malware and far more advanced than the general-purpose tools used to attack Ukraine’s power grid in 2015. What makes Crash Override so sophisticated is its ability to use the same protocols that individual electric grid systems rely on to communicate with one another, sometimes called control-plane protocols. Stuxnet and Triton also access these native protocols.

2017 - Triton/Trisys - Discussed above

Since most ICS environments suffer from lack of visibility, it is very difficult for organizations to identify malicious activities once an adversary gains access to the operational network. 

Malware Attack by the Numbers

Here’s a step by step analysis of a targeted ICS malware attack.

Step 1

The adversary gains a foothold in the network and starts reconnaissance activity, which can include some or all of the following:

> A remote connection may be used to infiltrate the industrial network 

> Once inside the network, the adversary can scan the network to identify ICS devices

> Since ICS networks do not use authentication or encryption, an adversary can access any system -- including operator or engineering workstations, HMIs, Windows Servers, or controllers (PLC, RTU or DCS controller) -- to identify assets to target in the attack

Step 2

The attacker extracts information gathered via reconnaissance to an off-site location. This could be accomplished by passing the information internally from different systems to a single location from which it can be extracted. 

Step 3

Next, malware is installed on a workstation with access to the targeted ICS system(s) using knowledge gathered in steps one and two, above. This can be accomplished via the network, or by using an infected USB drive.

Step 4

In this final stage, the malware replaces existing logic and uploads new ladder logic to the controller (PLC, RTU or DCS controller). Since this logic  determines how automated processes are executed, changing or replacing it with malicious payloads can result a wide range of operational disruptions and even physical damage to systems, the environment and humans.  

What Now?

Since a successful cyber attack is a multi-stage process, detection requires the ability to:

● Identify remote connections, network scanning, unauthorized system access and attempts to read controller information

● Monitor communications between industrial systems on the network and to external systems 

● Detect any unauthorized access and changes to controller logic, configuration and state

Until now, ICS environments were generally not targeted by targeted malware. This is no longer case and represents a major challenge for facilities operators. Since operational networks lack even the most basic security mechanisms, like access control and encryption, not to mention network monitoring, threat detection, logging and auditing.

Fortunately, new ICS-specific security technologies are now emerging to address these threats.  

RelatedLearn More at SecurityWeek's ICS Cyber Security Conference

view counter
Barak Perelman is CEO of Indegy, an industrial cyber-security firm that improves operational safety and reliability for industrial control networks by providing situational awareness and real-time security.