cyber attack on safety instrumented system in …€¦ · actionable ot intelligence cyber attack...
TRANSCRIPT
Actionable OT Intelligence
Cyber Attack on Safety Instrumented System in
Critical Infrastructure
Name: Paresh Kerai
Actionable OT Intelligence
- Paresh Kerai @mamboz01
- ICS Cyber-Security Engineer SC8 Ltd.
- PhD enrolled at ECU and researcher at ECU-Security Research Institute.
- Research on Security of SCADA systems and detecting network threats on ICS networks.
Actionable OT Intelligence
SC8 Ltd Overview
3
• SC8 delivers unprecedented OT (Operational Technology) network visibility, multi-threat vector analytics in real time that result in client-centric actionable intelligence creating whole of system resilience.• SC8 provides visibility across your critical ICS networks by ingesting network traffic and system
logs for entire business visibility and correlates to detect any threats.• Our machine learning engine performs real time analysis of ICS cyber threats.• Combining multi-sensor Intrusion Detection System (IDS) with advanced malware detection
and analysis, the SC8 platform will provide visibility of malicious activity and anomalies threatening business-critical assets through the provision of ICS Actionable Intelligence.
• The platform offers dashboards tailored to control system engineers, security personnel or business executive.
Web - https://www.sc8.com.au/Contact - [email protected]
Actionable OT Intelligence
Topics
4
Introduction: What are Industrial Control Systems
Background: ICS Related Attacks and Statistics
Background: Safety Instrumented System and
Triconex and Triton Malware
Explanation: How it Happened
Explanation: Who was behind the attack
Expectation: What comes next
Mitigation: How to Defend attacks on ICS networks
Conclusion
1
2
3
4
5
6
7
8
Actionable OT Intelligence
What are Industrial Control Systems?
Actionable OT Intelligence
What are Industrial Control Systems?
6
• These are systems that control and monitor remote or local industrial
equipment so called field devices.
• Vital components of most nation’s critical infrastructures.
• Used in water utilities, gas, electricity plants, nuclear plants, refineries
and other manufacturing plants and factories.
• Consists of various industrial components such as Program Logic
Controllers (PLC), Remote Terminal Units (RTU), Human Machine
Interface (HMI), and so on…
Actionable OT Intelligence
ICS Related Attacks and Statistics
Actionable OT Intelligence
ICS Related Attacks and Statistics
8
Kaspersky Labs ICS Report 2018
Actionable OT Intelligence
ICS Related Attacks and Statistics
9
This report by Siemens and Ponemon Institute that consists of a survey of
176 individuals in the Middle East responsible for securing or overseeing
cyber risk.
Assessing The Cyber Readiness: Report by Siemens
Actionable OT Intelligence
ICS Related Attacks and Statistics
11
5 4 3
ICS tailored malware families
Malware intent to disrupt industrial processes
Successfully attacked
• Stuxnet• Havex• Blackenergy 2• Industroyer/Crashoveride• Triton/Trisis
• Stuxnet• Blackenergy 2• Industroyer/Crashoverride• Triton/Trisis
• Stuxnet• Industroyer/Crashoverride• Triton/Trisis
Report by Dragos Inc
Actionable OT Intelligence
What are Safety Instrumented System –
(Triconex)
Actionable OT Intelligence
What are Safety Instrumented Systems?
• Safety instrumented systems are a type of ICS devices designed to monitor the performance of critical systems and take remedial action should an unsafe condition be detected.
• They can detect such conditions and initiate action that will put the affected systems into a safe state.
13
Actionable OT Intelligence
What is Triton?
• The TRITON/TRISIS/HATMAN is a malware that was developed to exploit Triconex MP3008 SIS processor module.
• Triton malware exhibited an entirely new level sophistication and how it compromise OT devices.
• The attackers exploited a zero-day in the SIS firmware in order to inject a Remote Access Trojan (RAT) .
• The RAT was enabled for persistent access to the controller.
• Giving the attackers ability to perform further attacks.
• TriStation Protocol – UDP 1502
14
Actionable OT Intelligence
What is Triton?
• The malware exposes another breed of ICS systems that attackers can now target to compromise industrial control system equipment.
• Triton was a targeted attack specifically designed to attack a particular device and firmware.
• Tradecraft exhibited by the attackers is now available to other adversaries.
• https://github.com/ICSrepo/TRISIS-TRITON-HATMAN(Malware Code) except for inject.bin
15
Actionable OT Intelligence
How the Attack Happened?
Actionable OT Intelligence
How it Happened?
17
• Events of how it happened?
• Engineer’s computer infected with malware.
• The infected computer connect to the OT network.
• The malware injected code to the Triconex device exploiting a vulnerability on the device firmware (zero attack).
• The code injected into the device firmware had a single variable that was wrong, which caused the failure of the device and failure to safe state.
• Triconex entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation.
Actionable OT Intelligence
How it Happened?
18
• Structure of Triton:
• trilog.exe -> main executable py2exe compile that executes python script
• library.zip -> contains all the libraries including tristationcommunication libraries
• inject.bin -> responsible for placing imain.bin in the right place
• imain.bin -> Main backdoor
Engineer Workstation
Triconex Controller
Triton Malware
Tristation Communication
trilog.exelibrary.zipinject.binimain.bin
Actionable OT Intelligence
How it Happened?
19
ICS-Cert: MAR-17-352-01 HatMan—Safety System Targeted Malware (Update A)
Inject of imain.bin (backdoor)failed a validation check withinthe SIS and resulting diagnosisfailure message.
Actionable OT Intelligence
Who was behind the attack?
Actionable OT Intelligence
Who was behind the attack?
21
• FireEye and Dragos reports states potential nation state attackers.
• Malware written to specifically target specific SIS model and version.
• Attackers required following to be successful:
• Access to the SIS network.
• The ability to load the malware code on the SIS program terminal.
• The Tricon SIS keyswitch to be in PROGRAM mode in order to be infected.
Actionable OT Intelligence
How to Protect SIS against Triton?
22
• Safety systems must always be deployed on isolated networks.• Avoid connecting TriStation workstations to a larger
network, avoid using removable media to transfer programs, and follow best practices for updating workstations.
• Physical controls should be in place so that no unauthorized person would have access to the safety controllers.
• Only switch the key to “PROGRAM” when necessary.
Actionable OT Intelligence
What comes next?
Actionable OT Intelligence
What comes next?
24
Actionable OT Intelligence
What comes next?
25
• More sophisticated ICS related attacks.
• Ransomware type attacks.
• Rise of general and accidental malware infections and attacks.
• More nation state actors developing capability to attack ICS networks.
• Espionage attacks on ICS networks and also attacks for information for competitive advantage.
Assessing The Cyber Readiness: Report by Siemens
Actionable OT Intelligence
How to defend?
Actionable OT Intelligence
How to defend?
27
• Cyber security awareness and training of OT staff.
• Apply and adhere to industrial control system security policies, standards and governance.
• Secure architecture design both in the OT and IT is very important.
• Isolate the OT network from corporate network in a way that does not compromise the organisation goals.
• Implement security solutions such as firewalls, intrusion detection systems, antivirus, sandboxing, data loss prevention.
• Have security and device monitoring in place e.gSIEM, ICS network security monitoring, etc.
Actionable OT Intelligence
How to defend?
28
Assessing The Cyber Readiness: Report by Siemens
Actionable OT Intelligence
In summary
29
Assessing The Cyber Readiness: Report by Siemens
Actionable OT Intelligence
Questions
Actionable OT Intelligence
References
31
• Dragos Trisis Report - https://dragos.com/blog/trisis/TRISIS-01.pdf
• FireEye Triton Incident Report - https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
• ICS-Cert - https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF
• https://www.cyberscoop.com/triton-ics-malware-fireeye-dragos/
• CyberX Triton Repot - https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/
• Kaspersky ICS-Cert Report 2017 - https://ics-cert.kaspersky.com/media/KL_ICS_REPORT_H2-2017_FINAL_EN_22032018.pdf
• Digital Bonds S4X18 Conference
• Siemens Cyber Report - https://www.siemens.com/us/en/home/company/topic-areas/industrial-cyber-security.html