Freshly discovered malware called Triton can compromise safety systems that control many kinds of industrial processes.
For years, security experts have been warning that hackers can disable systems that control critical infrastructure we all rely on, such as dams and power plants. Now researchers at Mandiant, which is part of the security firm FireEye, have revealed that a new form of malware, dubbed Triton, closed down the operations of a business in the Middle East belonging to Schneider Electric, a French company. The researchers say that they haven’t attributed the hack to a particular attacker, but they do say it bore hallmarks of threats from a nation-state.
Triton appears to have targeted a so-called safety instrumented system, or SIS, which monitors the operation of a physical process using sensors and acoustics. By taking control of it, hackers can destroy or damage the process the SIS is monitoring by tricking it into thinking everything’s normal, when in fact the process is operating at unsafe levels.
In Schneider Electric’s case, hackers were able to compromise an SIS workstation. Mandiant’s investigators think they intended to use the breach to cause damage to the plant. But they inadvertently triggered a shutdown of the industrial process, which led managers at the facility to launch an investigation that revealed the breach.
The latest incident follows others that have underlined the vulnerability to cyberattack of factories and critical infrastructure. In 2010, malware known as Stuxnet infected multiple sites in Iran, in one case destroying centrifuges at a uranium enrichment plant. Last year, an attack on Ukraine’s power grid using malware called Industroyer plunged a large chunk of the country’s capital, Kiev, into darkness (see “A Hack Used to Plunge Ukraine into Darkness Could Still Do Way More Damage”).
The growing threat of such attacks prompted the U.S. Computer Emergency Readiness Team, which operates under the auspices of the Department of Homeland Security and the FBI, to issue a strongly worded alert in October about the risks to numerous sectors, from nuclear power to water and aviation. Some researchers say Triton has been active since September, so it’s possible that its emergence triggered the US-CERT warning.
A study published earlier this year by MIT’s Center for International Studies noted that the pressure to make older equipment in many power plants and other facilities compatible with next-generation Internet-connected hardware has made matters worse. The rush to hook up legacy systems to the Web can leave them vulnerable to attack (see “Patching the Electric Grid”).
It could also leave companies vulnerable to huge lawsuits. “Triton underscores the need for factories and utilities to ... rethink their control and cyberdefense strategies,” said Creighton Magid, a lawyer at Dorsey & Whitney, in an e-mailed statement about the new hack. “The laggards are going to face huge financial risks.”