Connect with us

Hi, what are you looking for?



The Rise of ICS Malware: How Industrial Security Threats Are Becoming More Surgical

Last December, a malware variant specifically designed to attack industrial safety systems was discovered.

Last December, a malware variant specifically designed to attack industrial safety systems was discovered. It was apparently used to cause an operational outage at a critical infrastructure facility in The Middle East. 

The malware targets Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and replaces the Logic of SIS controllers, an action which can prevent the safety system from functioning correctly and result in physical consequences. Therefor it was named the TRISIS malware (or TRITON).

While TRITON is not the first malware to target industrial control systems (ICS), it does signal that operational networks, which have been largely immune to cyber threats, are now in the crosshairs of attackers.

Here’s a brief history of ICS-specific malware variants discovered to date:

2010 – Stuxnet was the first malware to specifically target SCADA systems and programmable logic controllers (PLCs). It was responsible for causing substantial damage to Iran’s nuclear program.

2013 – Havex, a remote access trojan (RAT), was used as part of a widespread espionage campaign targeting ICS environments across numerous industries. It scanned infected systems to locate SCADA or ICS devices on the network, and sent data back to the attackers. Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems.

2014 – BlackEnergy 2 was modified from an existing malware variant called BlackEnergy to target human-machine interface (HMI) software from a handful of vendors, including GE,   Advantech/Broadwin and Siemens. It was used in the cyber attack that took down the Ukrainian power grid in Dec 2015. 

2016 – Crash Override/Industroyer is the first known malware designed to attack electric grid systems, and was used in the Dec 2016 hack on a transmission substation in the Ukraine. It is a completely new malware and far more advanced than the general-purpose tools used to attack Ukraine’s power grid in 2015. What makes Crash Override so sophisticated is its ability to use the same protocols that individual electric grid systems rely on to communicate with one another, sometimes called control-plane protocols. Stuxnet and Triton also access these native protocols.

Advertisement. Scroll to continue reading.

2017 – Triton/Trisys – Discussed above

Since most ICS environments suffer from lack of visibility, it is very difficult for organizations to identify malicious activities once an adversary gains access to the operational network. 

Malware Attack by the Numbers

Here’s a step by step analysis of a targeted ICS malware attack.

Step 1

The adversary gains a foothold in the network and starts reconnaissance activity, which can include some or all of the following:

> A remote connection may be used to infiltrate the industrial network 

> Once inside the network, the adversary can scan the network to identify ICS devices

> Since ICS networks do not use authentication or encryption, an adversary can access any system — including operator or engineering workstations, HMIs, Windows Servers, or controllers (PLC, RTU or DCS controller) — to identify assets to target in the attack

Step 2

The attacker extracts information gathered via reconnaissance to an off-site location. This could be accomplished by passing the information internally from different systems to a single location from which it can be extracted. 

Step 3

Next, malware is installed on a workstation with access to the targeted ICS system(s) using knowledge gathered in steps one and two, above. This can be accomplished via the network, or by using an infected USB drive.

Step 4

In this final stage, the malware replaces existing logic and uploads new ladder logic to the controller (PLC, RTU or DCS controller). Since this logic  determines how automated processes are executed, changing or replacing it with malicious payloads can result a wide range of operational disruptions and even physical damage to systems, the environment and humans.  

What Now?

Since a successful cyber attack is a multi-stage process, detection requires the ability to:

● Identify remote connections, network scanning, unauthorized system access and attempts to read controller information

● Monitor communications between industrial systems on the network and to external systems 

● Detect any unauthorized access and changes to controller logic, configuration and state

Until now, ICS environments were generally not targeted by targeted malware. This is no longer case and represents a major challenge for facilities operators. Since operational networks lack even the most basic security mechanisms, like access control and encryption, not to mention network moni
toring, threat detection, logging and auditing.

Fortunately, new ICS-specific security technologies are now emerging to address these threats.  

RelatedLearn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.