Security researchers spot a new form of malware (TRITON) that is capable of targeting industrial equipment. In October, the FBI and US Department of Homeland Security (DHS) warned that energy companies are now under constant attack by threat actors seeking to steal information related to their control systems. It appears with this mission, the attacker wanted to “disrupt an operational process rather than steal data.” The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure relied upon for supplies such as gas, oil, and electricity.
Multiple warnings advise companies not to ignore the level of risk with this threat. Creighton Magid, a partner at the international law firm Dorsey & Whitney, confirms that this new discovery should put industries and IT professionals on high alert. He is an expert in product liability and cybersecurity who has worked extensively with the Consumer Product Safety Commission. Magid stated:
TRITON appears to be the latest generation of malware targeting industrial control systems for the purpose of disrupting or destroying an industrial process, rather than for stealing data. (The first two were Stuxnet – used to destroy nuclear enrichment centrifuges in Iran – and Industroyer – which attacked Ukrainian power facilities.).
TRITON appears to work by reprogramming the controllers of a Safety Instrumented System (SIS) – a control system that monitors, through sensors and actuators, a physical process. By taking control of the SIS, a bad actor can either shut down an industrial process by tricking the SIS into erroneously thinking something is wrong with the industrial process or can damage or destroy an industrial process by causing the industrial process to operate in an unsafe way without triggering a shutdown or warning. In the first case, the damage is economic: the facility is shut down unnecessarily, causing less output. In the second case, the results could be catastrophic: the destruction of a plant and, possibly, human casualties.
One of the vulnerabilities exploited by TRITON is the increasingly common practice of integrating SIS and industrial control systems. If the two are segregated, malware such as TRITON is much less threatening.
The emergence of TRITON underscores the need for factories and utilities to evaluate their cyber vulnerabilities and to rethink their control and cyber defense strategies. The laggards are going to face huge financial risks, not only from the event itself, but also from liability to shareholders, customers, and others.
On Thursday, the new malware, Triton, posed a severe threat to critical infrastructure. Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It is defined by its malicious intent. Organizations are warned against ignoring the potential Triton has to totally shut down systems.
By Cherese Jackson (Virginia)
Financial Times: Critical infrastructure threat as new malware is identified
ZD Net: Hackers use Triton malware to shut down plant, industrial systems
Dorsey & Whitney Law Firm: Creighton Magid
Top Image Courtesy of CyberHades’s Flickr Page – Creative Commons License
Featured Image Courtesy of Christoph Scholz’s Flickr Page – Creative Commons License