Cyber Attack on Safety Instrumented System in …€¦ · Actionable OT Intelligence Cyber Attack...

Actionable OT Intelligence

Cyber Attack on Safety Instrumented System in

Critical Infrastructure

Name: Paresh Kerai

- Paresh Kerai @mamboz01

- ICS Cyber-Security Engineer SC8 Ltd.

- PhD enrolled at ECU and researcher at ECU-Security Research Institute.

- Research on Security of SCADA systems and detecting network threats on ICS networks.

- p.kerai@ecu.edu.au / pkerai@sc8.com.au

SC8 Ltd Overview

• SC8 delivers unprecedented OT (Operational Technology) network visibility, multi-threat vector analytics in real time that result in client-centric actionable intelligence creating whole of system resilience.• SC8 provides visibility across your critical ICS networks by ingesting network traffic and system

logs for entire business visibility and correlates to detect any threats.• Our machine learning engine performs real time analysis of ICS cyber threats.• Combining multi-sensor Intrusion Detection System (IDS) with advanced malware detection

and analysis, the SC8 platform will provide visibility of malicious activity and anomalies threatening business-critical assets through the provision of ICS Actionable Intelligence.

• The platform offers dashboards tailored to control system engineers, security personnel or business executive.

Web - https://www.sc8.com.au/Contact - info@sc8.com.au

Topics

Introduction: What are Industrial Control Systems

Background: ICS Related Attacks and Statistics

Background: Safety Instrumented System and

Triconex and Triton Malware

Explanation: How it Happened

Explanation: Who was behind the attack

Expectation: What comes next

Mitigation: How to Defend attacks on ICS networks

Conclusion

What are Industrial Control Systems?

• These are systems that control and monitor remote or local industrial

equipment so called field devices.

• Vital components of most nation’s critical infrastructures.

• Used in water utilities, gas, electricity plants, nuclear plants, refineries

and other manufacturing plants and factories.

• Consists of various industrial components such as Program Logic

Controllers (PLC), Remote Terminal Units (RTU), Human Machine

Interface (HMI), and so on…

ICS Related Attacks and Statistics

Kaspersky Labs ICS Report 2018

This report by Siemens and Ponemon Institute that consists of a survey of

176 individuals in the Middle East responsible for securing or overseeing

cyber risk.

Assessing The Cyber Readiness: Report by Siemens

ICS tailored malware families

Malware intent to disrupt industrial processes

Successfully attacked

• Stuxnet• Havex• Blackenergy 2• Industroyer/Crashoveride• Triton/Trisis

• Stuxnet• Blackenergy 2• Industroyer/Crashoverride• Triton/Trisis

• Stuxnet• Industroyer/Crashoverride• Triton/Trisis

Report by Dragos Inc

What are Safety Instrumented System –

(Triconex)

What are Safety Instrumented Systems?

• Safety instrumented systems are a type of ICS devices designed to monitor the performance of critical systems and take remedial action should an unsafe condition be detected.

• They can detect such conditions and initiate action that will put the affected systems into a safe state.

What is Triton?

• The TRITON/TRISIS/HATMAN is a malware that was developed to exploit Triconex MP3008 SIS processor module.

• Triton malware exhibited an entirely new level sophistication and how it compromise OT devices.

• The attackers exploited a zero-day in the SIS firmware in order to inject a Remote Access Trojan (RAT) .

• The RAT was enabled for persistent access to the controller.

• Giving the attackers ability to perform further attacks.

• TriStation Protocol – UDP 1502

What is Triton?

• The malware exposes another breed of ICS systems that attackers can now target to compromise industrial control system equipment.

• Triton was a targeted attack specifically designed to attack a particular device and firmware.

• Tradecraft exhibited by the attackers is now available to other adversaries.

• https://github.com/ICSrepo/TRISIS-TRITON-HATMAN(Malware Code) except for inject.bin

How the Attack Happened?

How it Happened?

• Events of how it happened?

• Engineer’s computer infected with malware.

• The infected computer connect to the OT network.

• The malware injected code to the Triconex device exploiting a vulnerability on the device firmware (zero attack).

• The code injected into the device firmware had a single variable that was wrong, which caused the failure of the device and failure to safe state.

• Triconex entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation.

How it Happened?

• Structure of Triton:

• trilog.exe -> main executable py2exe compile that executes python script

• library.zip -> contains all the libraries including tristationcommunication libraries

• inject.bin -> responsible for placing imain.bin in the right place

• imain.bin -> Main backdoor

Engineer Workstation

Triconex Controller

Triton Malware

Tristation Communication

trilog.exelibrary.zipinject.binimain.bin

How it Happened?

ICS-Cert: MAR-17-352-01 HatMan—Safety System Targeted Malware (Update A)

Inject of imain.bin (backdoor)failed a validation check withinthe SIS and resulting diagnosisfailure message.

Who was behind the attack?

• FireEye and Dragos reports states potential nation state attackers.

• Malware written to specifically target specific SIS model and version.

• Attackers required following to be successful:

• Access to the SIS network.

• The ability to load the malware code on the SIS program terminal.

• The Tricon SIS keyswitch to be in PROGRAM mode in order to be infected.

How to Protect SIS against Triton?

• Safety systems must always be deployed on isolated networks.• Avoid connecting TriStation workstations to a larger

network, avoid using removable media to transfer programs, and follow best practices for updating workstations.

• Physical controls should be in place so that no unauthorized person would have access to the safety controllers.

• Only switch the key to “PROGRAM” when necessary.

What comes next?

• More sophisticated ICS related attacks.

• Ransomware type attacks.

• Rise of general and accidental malware infections and attacks.

• More nation state actors developing capability to attack ICS networks.

• Espionage attacks on ICS networks and also attacks for information for competitive advantage.

How to defend?

• Cyber security awareness and training of OT staff.

• Apply and adhere to industrial control system security policies, standards and governance.

• Secure architecture design both in the OT and IT is very important.

• Isolate the OT network from corporate network in a way that does not compromise the organisation goals.

• Implement security solutions such as firewalls, intrusion detection systems, antivirus, sandboxing, data loss prevention.

• Have security and device monitoring in place e.gSIEM, ICS network security monitoring, etc.

How to defend?

In summary

Questions

References

• Dragos Trisis Report - https://dragos.com/blog/trisis/TRISIS-01.pdf

• FireEye Triton Incident Report - https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

• ICS-Cert - https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF

• https://www.cyberscoop.com/triton-ics-malware-fireeye-dragos/

• CyberX Triton Repot - https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/

• Kaspersky ICS-Cert Report 2017 - https://ics-cert.kaspersky.com/media/KL_ICS_REPORT_H2-2017_FINAL_EN_22032018.pdf

• Digital Bonds S4X18 Conference

• Siemens Cyber Report - https://www.siemens.com/us/en/home/company/topic-areas/industrial-cyber-security.html

Cyber Attack on Safety Instrumented System in …€¦ · Actionable OT Intelligence Cyber Attack...

Documents

Cyber & Process Attack Scenarios for ICS

Cyber Attack Survival: Are You Ready?

Cyber Liability and Malicious Attack

CEOs leading Recovery from Cyber Attack

Cyber Security Attack and Trend

1 Forecasting Cyber Attacks with Imbalanced Data Sets and … · cyber attack forecasting on imbalanced cyber data sets. First, unlike some cyber attack prediction techniques which

Cyber Attack and Laws of War

Cyber Attack Investigative Tools and Technologies

ARMITAGE-THE CYBER ATTACK MANAGEMENT

What's behind a cyber attack

SINGAPORE HEALTH SERVICE CYBER ATTACK

ANALISIS YURIDIS MENGENAI CYBER ATTACK DALAM CYBER …

ADVANCED CYBER ATTACK MODELING, ANALYSIS, AND …

CYBER ATTACK SURVIVAL KIT

German Steel Mill Cyber Attack - assets.contentstack.io

Security Cyber Attack

Cybercrime - Attack of the Cyber Spies

Anatomy of a cyber attack

CYBER ATTACK TRENDS - sempreupdate.com.br

Development of a Cyber Attack Simulator