After Triton, Will the Industrial Threat Landscape Ever be the Same?

The cyber attack against a Saudi oil and gas petrochemical facility in the summer of 2017 opened a new and troubling page in the history of cyber warfare, marking the first time that malware targeted industrial safety equipment.

Unlike the code used in the 2010 Stuxnet attack that knocked out centrifuges at an Iranian uranium enrichment facility, the malware featured in this attack, called Triton, was designed to disrupt the behavior of the safety instrumented system that monitored the performance of critical systems.

This was a milestone event. Without the protection of a last line of safety defense, a cyber attack that interferes with a facility’s automatic emergency shutdown processes could lead to equipment or operational failures that cause injury or the loss of life.

The danger was averted this time because the malware was discovered before it could disrupt the plant’s operations. But there’s no putting the genie back into the bottle.

Researchers presenting at the recent BlackHat 2018 conference simulated how Triton might be used to wage a destructive attack. They also provided a narrative explaining how someone might acquire the resources necessary to obtain the Triton engineering tools to execute a malicious payload. It didn’t take much – just some clever sleuthing along with reverse engineering skills.

“You don’t have to be a government to build an attack like Triton,” said Andrea Carcano, Nozomi Networks’ co-founder and chief product officer, pointing to several trends that have come together to clear the way for threat actors to attack industrial control systems (ICS).

• Increased connectivity with IT networks and the internet has greatly increased the attack surface.
• Dedicated tools and information found on the internet make the life of a hacker much easier.
• Advanced exploitation tools, frameworks and malware samples are readily available. There were no examples of ICS malware frameworks on the internet before Stuxnet. Nowadays, you can locate several, including Triton.
• ICS equipment and documentation are easy to procure.
• The number of published ICS device vulnerabilities is growing, with slow implementation of counter-measures.

The researchers took no solace from the fact that Triton failed this time around. The attacker might just as easily have been able to inject the final payload successfully.

Indeed, fellow BlackHat presenter, independent researcher Marina Krotofil, said that Triton has the potential to transform the concept of cyber war by executing arbitrary code to reach a “kinetic” stage where industrial plants start exploding.

It’s a scenario that’s no longer beyond the realm of imagination. As more old line heavy industries digitize their processes and connect them to outside networks, malicious hackers are probing new points of vulnerability – and finding them. And since modern safety instrumented systems are software-based, Krotofil continued, that means “they can be exploited.”

Triton hasn’t been much in the news since the incident at the Saudi petrochemical plant. But Carcano suggested that this may be a respite with Triton featuring in future copycat attacks against industrial targets.

Given that the expertise and the financial resources needed to create the Triton malware were lower than originally expected, he said industrial sites need to remain vigilant and more closely monitor the security of their equipment with auditing and forensic tools before Triton-like exploits become common.

Because if there’s one constant when it comes to the history of cyber threats, past very often turns out to be prologue.

“As soon as a new exploitation technique becomes available,” Carcano said, “everybody jumps on the bandwagon.”

If you found this information useful, you may also enjoy:

• Trojan.Trisis