Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

The Rise of ICS Malware: How Industrial Security Threats Are Becoming More Surgical

Last December, a malware variant specifically designed to attack industrial safety systems was discovered.

Last December, a malware variant specifically designed to attack industrial safety systems was discovered. It was apparently used to cause an operational outage at a critical infrastructure facility in The Middle East. 

The malware targets Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and replaces the Logic of SIS controllers, an action which can prevent the safety system from functioning correctly and result in physical consequences. Therefor it was named the TRISIS malware (or TRITON).

While TRITON is not the first malware to target industrial control systems (ICS), it does signal that operational networks, which have been largely immune to cyber threats, are now in the crosshairs of attackers.

Here’s a brief history of ICS-specific malware variants discovered to date:

2010 – Stuxnet was the first malware to specifically target SCADA systems and programmable logic controllers (PLCs). It was responsible for causing substantial damage to Iran’s nuclear program.

2013 – Havex, a remote access trojan (RAT), was used as part of a widespread espionage campaign targeting ICS environments across numerous industries. It scanned infected systems to locate SCADA or ICS devices on the network, and sent data back to the attackers. Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems.

2014 – BlackEnergy 2 was modified from an existing malware variant called BlackEnergy to target human-machine interface (HMI) software from a handful of vendors, including GE,   Advantech/Broadwin and Siemens. It was used in the cyber attack that took down the Ukrainian power grid in Dec 2015. 

2016 – Crash Override/Industroyer is the first known malware designed to attack electric grid systems, and was used in the Dec 2016 hack on a transmission substation in the Ukraine. It is a completely new malware and far more advanced than the general-purpose tools used to attack Ukraine’s power grid in 2015. What makes Crash Override so sophisticated is its ability to use the same protocols that individual electric grid systems rely on to communicate with one another, sometimes called control-plane protocols. Stuxnet and Triton also access these native protocols.

2017 – Triton/Trisys – Discussed above

Since most ICS environments suffer from lack of visibility, it is very difficult for organizations to identify malicious activities once an adversary gains access to the operational network. 

Malware Attack by the Numbers

Here’s a step by step analysis of a targeted ICS malware attack.

Step 1

The adversary gains a foothold in the network and starts reconnaissance activity, which can include some or all of the following:

> A remote connection may be used to infiltrate the industrial network 

> Once inside the network, the adversary can scan the network to identify ICS devices

> Since ICS networks do not use authentication or encryption, an adversary can access any system — including operator or engineering workstations, HMIs, Windows Servers, or controllers (PLC, RTU or DCS controller) — to identify assets to target in the attack

Step 2

The attacker extracts information gathered via reconnaissance to an off-site location. This could be accomplished by passing the information internally from different systems to a single location from which it can be extracted. 

Step 3

Next, malware is installed on a workstation with access to the targeted ICS system(s) using knowledge gathered in steps one and two, above. This can be accomplished via the network, or by using an infected USB drive.

Step 4

In this final stage, the malware replaces existing logic and uploads new ladder logic to the controller (PLC, RTU or DCS controller). Since this logic  determines how automated processes are executed, changing or replacing it with malicious payloads can result a wide range of operational disruptions and even physical damage to systems, the environment and humans.  

What Now?

Since a successful cyber attack is a multi-stage process, detection requires the ability to:

● Identify remote connections, network scanning, unauthorized system access and attempts to read controller information

● Monitor communications between industrial systems on the network and to external systems 

● Detect any unauthorized access and changes to controller logic, configuration and state

Until now, ICS environments were generally not targeted by targeted malware. This is no longer case and represents a major challenge for facilities operators. Since operational networks lack even the most basic security mechanisms, like access control and encryption, not to mention network moni
toring, threat detection, logging and auditing.

Fortunately, new ICS-specific security technologies are now emerging to address these threats.  

RelatedLearn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

ICS/OT

Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.