How to Defend Against TRITON Industrial Malware
For all the concerns over Industrial Ethernet and IIoT security in recent years, there aren’t many identified malware families poised to take down critical infrastructure.
In fact, since the 2010 Stuxnet attack in Iran, there have only been a handful of unique malware kits in the industrial sector. However, security researchers recently uncovered the latest malware targeting critical infrastructure—TRITON.
Protecting industrial networks is of the utmost importance. Now that TRITON has emerged, let’s look at what exactly this malware is and discuss how to defend against it.
Breaking Down the TRITON Malware Threat
In mid-December 2017, cybersecurity firm Mandate was called to investigate suspicious activity when an attacker deployed TRITON to manipulate Triconex safety instrumented systems (SIS).
According to the FireEye report, the attack resulted in operational shutdown of some SIS controllers. However, the shutdown was the result of a safety mechanism. Reportedly, the nation-state actor behind the attack meant to gain remote access of the SIS workstation, reprogram the controllers, and cause a safety incident that resulted in physical damage.
Although the operational shutdown was inadvertent, OT managers still must understand the threat TRITON poses. The TRITON tool contains many different features (most of which were not used for this particular incident). FireEye says that TRITON gives attackers the ability to:
- Read and write programs
- Alter individual functions within the SIS controller
- Query the state of individual SIS controllers
- And communicate remotely to deliver attacker-defined payloads
Like other critical infrastructure attacks, data exfiltration is not the end-goal of TRITON attacks. Rather, the features included in the malware kit help attackers maneuver around safety controls and secure a foothold in the Industrial Ethernet network and cause malfunctions in the infrastructure.
Luckily, the attacker modified application memory on the target SIS controllers, leading to validation failure and immediate safe shutdown.
The attacker in this incident may have tripped a safety protocol. But that doesn’t mean TRITON can’t be used against your industrial control system. Knowing about the malware is part of the battle—defending against it is the real challenge.
Defending Against Industrial Threats (Including TRITON)
Any time there’s a report of new malware, security researchers lay out a few key recommendations. In the case of TRITON, here’s what FireEye had to say:
- Segregate safety system networks from process control/information system networks
- Physically program safety controllers
- Leverage unidirectional gateways for applications using data from SIS controllers
- Practice strict access control and application whitelisting
- And monitor ICS network traffic for potential anomalies from your baseline activity
TRITON aside, these are all great ways to keep your unique industrial infrastructure safe. But there’s still a question of how to execute all of these recommendations.
The key to defending against TRITON and other industrial threats is to implement network elements that spot 100% of the anomalies FireEye mentions. Listen-only devices like passive network TAPs copy your SIS controller and other network data, send it to an analyzer or deep packet inspector, and keep your managers ahead of any possible breaches.
Using passive network TAPs in conjunction with the latest innovative monitoring tools is the best way to see every bit, byte, and packet® that travels across your industrial network. And when you have total visibility, you can defend yourself against the subtle anomalies that attackers try to sneak through with malware like TRITON.
Patrick Nixdorf is a System Engineer for Garland Technology in the Frankfurt, Germany office, providing pre and post-sales support, as well as solution design for EMEA and APAC. He has over 10 years of experience in the networking industry, primarily in the TAP business.
Originally posted here: https://www.garlandtechnology.com/blog/how-to-defend-against-triton-industrial-malware