The recent TRITON malware attack against a critical infrastructure organization sought to modify and manipulate industrial safety systems with the intention of causing potentially catastrophic physical damage. ICS systems create an interface between physical and digital environments, meaning that the repercussions of an unhandled failure can be fatal.
The TRITON campaign can be divided into two conceptual phases. First, the attackers managed to gain remote access to an engineering workstation attached to the SIS (Safety Instrumented System) network, after which they deployed a program that was masquerading as a legitimate application produced by a critical control and system safety supplier. The framework for mimicking this legitimate application is not readily available, so there is reason to believe TRITON is the creation of well-funded and highly capable actors with intentions that probably reach beyond minor monetary gains.
The attackers successfully subverted traditional network defenses. Once they had established this foothold, they opted to delve deeper into the network and perform detailed reconnaissance – the second phase of the attack. Thankfully, they accidentally triggered a partial system failure which the internal security team investigated and remediated.
Having failed to achieve their ultimate goal, the attackers will likely be evaluating where they went wrong, so that next time they don’t give themselves away at such a late stage. They may also be considering whether that reconnaissance step is worthwhile, as clearly, they were capable of significant sabotage from that location without any further chances to be caught. Their success in penetrating the network as far as they did undetected with their current tools and methods means that they will almost certainly use them against other organizations.
TRITON should be considered a significant precedent for ICS security. What this incident shows is that traditional demilitarized zones, heavy network segregation and multiple firewalls are definitively not sufficient to protect the essentially defenseless machines that make up ICS networks. How then should infrastructure providers adjust their security postures in the light of the TRITON attack?
With regards to the second phase, anomaly detection is a clear solution for pinpointing unusual activity within the control system, highlighting unexpected reprogramming or reconnaissance for the security team’s attention. The typically predictable communications made between ICS devices such as HMIs and PLCs are intuitively a fertile ground for this type of approach. Regulators have taken notice, and in the UK for example the incoming NIS Directive legislation mandates that critical infrastructure providers have anomaly detection for their relevant networks.
However, defenders do not want their first opportunity to catch the attacker to be when they have already reached the control system and are making use of automation protocols and exploiting inherently vulnerable devices. They want to be alerted to the earlier parts of the cyber kill chain, as the attacker makes their way towards these networks, and be able to remediate them there instead. This can only be achieved by extending the anomaly and cyber-threat detection outwards from the control system through the other networks (demilitarized zones, corporate) that can form defensive buffers around it.
This is why Darktrace’s Industrial Immune System is designed to monitor all of these networks simultaneously, embracing the full range of device types from PLCs out through the nearly standard IT systems in OT control rooms, and all the way to the edge of the organization’s possible visibility – even into the cloud if need be. It is not sufficient for those tasked with protecting control system to monitor just the automation protocols or the networks that contain them.