Actionable OT Intelligence

Cyber Attack on Safety Instrumented System in

Critical Infrastructure

Name: Paresh Kerai

Actionable OT Intelligence

- Paresh Kerai @mamboz01

- ICS Cyber-Security Engineer SC8 Ltd.

- PhD enrolled at ECU and researcher at ECU-Security Research Institute.

- Research on Security of SCADA systems and detecting network threats on ICS networks.

- p.kerai@ecu.edu.au / pkerai@sc8.com.au

Actionable OT Intelligence

SC8 Ltd Overview

3

• SC8 delivers unprecedented OT (Operational Technology) network visibility, multi-threat vector analytics in real time that result in client-centric actionable intelligence creating whole of system resilience.• SC8 provides visibility across your critical ICS networks by ingesting network traffic and system

logs for entire business visibility and correlates to detect any threats.• Our machine learning engine performs real time analysis of ICS cyber threats.• Combining multi-sensor Intrusion Detection System (IDS) with advanced malware detection

and analysis, the SC8 platform will provide visibility of malicious activity and anomalies threatening business-critical assets through the provision of ICS Actionable Intelligence.

• The platform offers dashboards tailored to control system engineers, security personnel or business executive.

Web - https://www.sc8.com.au/Contact - info@sc8.com.au

Actionable OT Intelligence

Topics

4

Introduction: What are Industrial Control Systems

Background: ICS Related Attacks and Statistics

Background: Safety Instrumented System and

Triconex and Triton Malware

Explanation: How it Happened

Explanation: Who was behind the attack

Expectation: What comes next

Mitigation: How to Defend attacks on ICS networks

Conclusion

1

2

3

4

5

6

7

8

Actionable OT Intelligence

What are Industrial Control Systems?

Actionable OT Intelligence

What are Industrial Control Systems?

6

• These are systems that control and monitor remote or local industrial

equipment so called field devices.

• Vital components of most nation’s critical infrastructures.

• Used in water utilities, gas, electricity plants, nuclear plants, refineries

and other manufacturing plants and factories.

• Consists of various industrial components such as Program Logic

Controllers (PLC), Remote Terminal Units (RTU), Human Machine

Interface (HMI), and so on…

Actionable OT Intelligence

ICS Related Attacks and Statistics

Actionable OT Intelligence

ICS Related Attacks and Statistics

8

Kaspersky Labs ICS Report 2018

Actionable OT Intelligence

ICS Related Attacks and Statistics

9

This report by Siemens and Ponemon Institute that consists of a survey of

176 individuals in the Middle East responsible for securing or overseeing

cyber risk.

Assessing The Cyber Readiness: Report by Siemens

Actionable OT Intelligence

ICS Related Attacks and Statistics

11

5 4 3

ICS tailored malware families

Malware intent to disrupt industrial processes

Successfully attacked

• Stuxnet• Havex• Blackenergy 2• Industroyer/Crashoveride• Triton/Trisis

• Stuxnet• Blackenergy 2• Industroyer/Crashoverride• Triton/Trisis

• Stuxnet• Industroyer/Crashoverride• Triton/Trisis

Report by Dragos Inc

Actionable OT Intelligence

What are Safety Instrumented System –

(Triconex)

Actionable OT Intelligence

What are Safety Instrumented Systems?

• Safety instrumented systems are a type of ICS devices designed to monitor the performance of critical systems and take remedial action should an unsafe condition be detected.

• They can detect such conditions and initiate action that will put the affected systems into a safe state.

13

Actionable OT Intelligence

What is Triton?

• The TRITON/TRISIS/HATMAN is a malware that was developed to exploit Triconex MP3008 SIS processor module.

• Triton malware exhibited an entirely new level sophistication and how it compromise OT devices.

• The attackers exploited a zero-day in the SIS firmware in order to inject a Remote Access Trojan (RAT) .

• The RAT was enabled for persistent access to the controller.

• Giving the attackers ability to perform further attacks.

• TriStation Protocol – UDP 1502

14

Actionable OT Intelligence

What is Triton?

• The malware exposes another breed of ICS systems that attackers can now target to compromise industrial control system equipment.

• Triton was a targeted attack specifically designed to attack a particular device and firmware.

• Tradecraft exhibited by the attackers is now available to other adversaries.

• https://github.com/ICSrepo/TRISIS-TRITON-HATMAN(Malware Code) except for inject.bin

15

Actionable OT Intelligence

How the Attack Happened?

Actionable OT Intelligence

How it Happened?

17

• Events of how it happened?

• Engineer’s computer infected with malware.

• The infected computer connect to the OT network.

• The malware injected code to the Triconex device exploiting a vulnerability on the device firmware (zero attack).

• The code injected into the device firmware had a single variable that was wrong, which caused the failure of the device and failure to safe state.

• Triconex entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation.

Actionable OT Intelligence

How it Happened?

18

• Structure of Triton:

• trilog.exe -> main executable py2exe compile that executes python script

• library.zip -> contains all the libraries including tristationcommunication libraries

• inject.bin -> responsible for placing imain.bin in the right place

• imain.bin -> Main backdoor

Engineer Workstation

Triconex Controller

Triton Malware

Tristation Communication

trilog.exelibrary.zipinject.binimain.bin

Actionable OT Intelligence

How it Happened?

19

ICS-Cert: MAR-17-352-01 HatMan—Safety System Targeted Malware (Update A)

Inject of imain.bin (backdoor)failed a validation check withinthe SIS and resulting diagnosisfailure message.

Actionable OT Intelligence

Who was behind the attack?

Actionable OT Intelligence

Who was behind the attack?

21

• FireEye and Dragos reports states potential nation state attackers.

• Malware written to specifically target specific SIS model and version.

• Attackers required following to be successful:

• Access to the SIS network.

• The ability to load the malware code on the SIS program terminal.

• The Tricon SIS keyswitch to be in PROGRAM mode in order to be infected.

Actionable OT Intelligence

How to Protect SIS against Triton?

22

• Safety systems must always be deployed on isolated networks.• Avoid connecting TriStation workstations to a larger

network, avoid using removable media to transfer programs, and follow best practices for updating workstations.

• Physical controls should be in place so that no unauthorized person would have access to the safety controllers.

• Only switch the key to “PROGRAM” when necessary.

Actionable OT Intelligence

What comes next?

Actionable OT Intelligence

What comes next?

24

Actionable OT Intelligence

What comes next?

25

• More sophisticated ICS related attacks.

• Ransomware type attacks.

• Rise of general and accidental malware infections and attacks.

• More nation state actors developing capability to attack ICS networks.

• Espionage attacks on ICS networks and also attacks for information for competitive advantage.

Assessing The Cyber Readiness: Report by Siemens

Actionable OT Intelligence

How to defend?

Actionable OT Intelligence

How to defend?

27

• Cyber security awareness and training of OT staff.

• Apply and adhere to industrial control system security policies, standards and governance.

• Secure architecture design both in the OT and IT is very important.

• Isolate the OT network from corporate network in a way that does not compromise the organisation goals.

• Implement security solutions such as firewalls, intrusion detection systems, antivirus, sandboxing, data loss prevention.

• Have security and device monitoring in place e.gSIEM, ICS network security monitoring, etc.

Actionable OT Intelligence

How to defend?

28

Assessing The Cyber Readiness: Report by Siemens

Actionable OT Intelligence

In summary

29

Assessing The Cyber Readiness: Report by Siemens

Actionable OT Intelligence

Questions

Actionable OT Intelligence

References

31

• Dragos Trisis Report - https://dragos.com/blog/trisis/TRISIS-01.pdf

• FireEye Triton Incident Report - https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

• ICS-Cert - https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF

• https://www.cyberscoop.com/triton-ics-malware-fireeye-dragos/

• CyberX Triton Repot - https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/

• Kaspersky ICS-Cert Report 2017 - https://ics-cert.kaspersky.com/media/KL_ICS_REPORT_H2-2017_FINAL_EN_22032018.pdf

• Digital Bonds S4X18 Conference

• Siemens Cyber Report - https://www.siemens.com/us/en/home/company/topic-areas/industrial-cyber-security.html