Freshly discovered malware called Triton can compromise safety systems that control many kinds of industrial processes.
For years, security experts have been warning that hackers can disable systems that control critical infrastructure we all rely on, such as dams and power plants. Now researchers at Mandiant, which is part of the security firm FireEye, have revealed that a new form of malware, dubbed Triton, closed down the operations of a business in the Middle East belonging to Schneider Electric, a French company. The researchers say that they haven’t attributed the hack to a particular attacker, but they do say it bore hallmarks of threats from a nation-state.
Triton appears to have targeted a so-called safety instrumented system, or SIS, which monitors the operation of a physical process using sensors and acoustics. By taking control of it, hackers can destroy or damage the process the SIS is monitoring by tricking it into thinking everything’s normal, when in fact the process is operating at unsafe levels.
In Schneider Electric’s case, hackers were able to compromise an SIS workstation. Mandiant’s investigators think they intended to use the breach to cause damage to the plant. But they inadvertently triggered a shutdown of the industrial process, which led managers at the facility to launch an investigation that revealed the breach.
The latest incident follows others that have underlined the vulnerability to cyberattack of factories and critical infrastructure. In 2010, malware known as Stuxnet infected multiple sites in Iran, in one case destroying centrifuges at a uranium enrichment plant. Last year, an attack on Ukraine’s power grid using malware called Industroyer plunged a large chunk of the country’s capital, Kiev, into darkness (see “A Hack Used to Plunge Ukraine into Darkness Could Still Do Way More Damage”).
The growing threat of such attacks prompted the U.S. Computer Emergency Readiness Team, which operates under the auspices of the Department of Homeland Security and the FBI, to issue a strongly worded alert in October about the risks to numerous sectors, from nuclear power to water and aviation. Some researchers say Triton has been active since September, so it’s possible that its emergence triggered the US-CERT warning.
A study published earlier this year by MIT’s Center for International Studies noted that the pressure to make older equipment in many power plants and other facilities compatible with next-generation Internet-connected hardware has made matters worse. The rush to hook up legacy systems to the Web can leave them vulnerable to attack (see “Patching the Electric Grid”).
It could also leave companies vulnerable to huge lawsuits. “Triton underscores the need for factories and utilities to ... rethink their control and cyberdefense strategies,” said Creighton Magid, a lawyer at Dorsey & Whitney, in an e-mailed statement about the new hack. “The laggards are going to face huge financial risks.”
Erik Prince wants to sell you a “secure” smartphone that’s too good to be true
MIT Technology Review obtained Prince’s investor presentation for the “RedPill Phone,” which promises more than it could possibly deliver.
Corruption is sending shock waves through China’s chipmaking industry
The arrests of several top semiconductor fund executives could force the government to rethink how it invests in the sector.
Inside the software that will become the next battle front in US-China chip war
The US has moved to restrict export of EDA software. What is it, and how will the move affect China?
Hackers linked to China have been targeting human rights groups for years
In a new report shared exclusively with MIT Technology Review, researchers expose a cyber-espionage campaign on “a tight budget” that proves simple can still be effective.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.