Symantec is aware of a new Trojan which targets industrial control systems (ICS) and has the potential to cause severe disruption at any targeted organization. Triton (Trojan.Trisis), is designed to communicate with a specific type of ICS, namely safety instrumented systems (SIS) and deploy alternative logic to these devices, meaning they may not function correctly. Triton has reportedly been used against at least one organization in the Middle East.
Triton, which has been in existence since at least August 2017, works by infecting a Windows computer that is expected to be connected to a SIS device.The malware then injects code modifying the behavior of the SIS device. However, at present the intended effect is unclear and investigation is still underway.
What are SIS?
Safety instrumented systems are a type of industrial control system designed to monitor the performance of critical systems and take remedial action should an unsafe condition be detected. This could include overly high temperatures or pressure readings in industrial systems. The SIS is designed to detect such conditions and initiate action that will put the affected systems into a safe state.
Why target SIS?
Attacks on SIS devices could potentially cause disruption at a targeted organization and, at worst, facilitate sabotage. By interfering with the operation of an SIS, an attacker could cause it to malfunction and shutdown operations at a plant. A worst case scenario is an attack where an SIS malfunctions, does not detect an unsafe event and therefore fails to prevent an industrial accident. The latter would be more difficult to accomplish since the attacker would need to ensure an unsafe condition occurs while the SIS is malfunctioning.
Not the first ICS attack
While there have been a small number previous cases of malware designed to attack ICS, Triton is the first to attack SIS devices. The first and most notable example of ICS malware was Stuxnet (W32.Stuxnet) which was designed to attack programmable logic controllers (PLCs) being used in the Iranian uranium enrichment program.
The Dragonfly cyber espionage group has also been known to target ICS and previously compromised a number of ICS equipment providers, infecting their software with the Oldrea Trojan (Backdoor.Oldrea) (aka Havex).
More recently, the Disakil disk-wiping malware (Trojan.Disakil), which was used in attacks against the Ukrainian energy sector in late 2016, contained a component designed to target SCADA (supervisory control and data acquisition) ICS systems. The malware attempted to stop and delete a service used by software designed to communicate with legacy SCADA systems.
Triton appears to be designed to be used in a highly targeted fashion, meaning it is possible the attackers may be focused on one specific target or a small number of targets. Nevertheless, users of SIS devices are advised to review operational security and follow the manufacturer’s best practices, such as ensuring safety systems are deployed on isolated networks and no unauthorized persons have access to SIS devices.
Symantec is continuing to investigate this threat.
Symantec has the following protection in place to protect customers against these attacks:
Symantec IOT Critical System Protection also blocks this threat.