The Triton malware attack was far from the first time that hackers have attempted to target the networks of an industrial facility, but it was the first time that malware designed to attack safety systems was ever seen in the wild.
The malware was designed to manipulate Schneider Electric's Triconex Safety Instrumented System (SIS) controllers – emergency shutdown systems – and was uncovered on the network at a critical infrastructure operator in the Middle East.
The malware campaign was extremely stealthy and was only uncovered because the attackers made a mistake and triggered the safety system, shutting down the plant. The outcome could've been much worse.
"We can speculate that their mission is of some physical consequence. They wanted to either stop production at this facility, stop things from working or potentially cause physical harm," says Dan Caban, incident response manager at FireEye's Mandiant.
Speaking during a session on Triton at the National Cyber Security Centre's CYBERUK 19 conference, Caban argued that it was fortunate the malware was uncovered, alerting the world to dangerous cyberattacks that can alter or damage physical systems.
"We were very lucky that this accident happened, it opened the door for people to start thinking about this physical consequence which may have cybersecurity origins – that's how this investigation kicked off and now so much has come to public light," he says.
Following the initial point of compromise, the malware was able to use techniques such as harvesting credentials and moved across the network to reach the SIS controllers.
However, Triton was only able to reach its goal because of some lax attitudes to security throughout the facility: the safety controllers should have been disconnected from the network but were connected to Internet-facing operational systems, allowing attackers to gain access.
Other failures -- like a key being left inside a machine -- provided attackers with access they should never have gained without physically being inside the facility.
While the malware has the potential to be highly damaging to valves, switches and sensors in an industrial environment, the threat can be countered by implementing some relatively simple cybersecurity techniques that make movement between systems almost impossible.
"Network segregation can help you avoid this happening. You should be separating them logically, but also based on criticality and by following industry best practice and industry standards," Caban explains. "You should also consider directional gateways so it's not possible to move certain ways.
