In October, the US Treasury Department announced sanctions against the Moscow-based Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), an institution with links to the Russian government. This move came after this Russian institute was held responsible for the Triton malware, also known as Trisis or Hatman, which attacks industrial control systems (ICS).
Treasury Secretary Steven Mnuchin stated that “The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies. This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”
We have previously talked about this malware in our post on Cybersecurity to protect against emerging threats in the industry, though it is worth remembering just how dangerous it is. Such is the threat, that MIT Technology Review explained that when cybersecurity consultant Julian Gutmanis uncovered it at a petrochemical plant in Saudi Arabia in 2017, what he found there made his blood run cold.
Triton is an attack framework built to interact with Schneider’s Triconex Safety Instrumented System (SIS) controllers. Adversaries gained remote access to an SIS workstation and deployed the TRITON attack framework to reprogram the SIS controllers. Some of these began to enter a failed safe state, as they were unable to comply with their own validation systems, so the processes assigned to each one were stopped. As such, plant activity was halted, and this is what most concerned Gutmanis.
Unprotected operational technology (OT)_
This incident underlines how malware targeting ICS can have severe consequences that reach far beyond the financial implications and, as we have previously warned with Berserk Bear, if they can affect the operations of industrial facilities or power plants, they could also put workers’ lives at risks or leave civilians without essential utilities. It is precisely for these reasons that such installations are given special emphasis in national cybersecurity strategies, with specific directives for critical infrastructure.
Nevertheless, despite the grave risk, industrial and energy firms appear not to have adequately protected themselves. The Cyber Security Report from KPMG and the Control System Cyber Security Association International points out that less than 25 percent of companies have incorporated an active defense of their control systems and assets. It also highlights how 63 percent of those with more mature CS programs frequently replace vulnerable CS hardware or software after assessment, whereas in less mature environments the figure falls to 34 percent.
The report concludes that “enterprise organizations continue to struggle to address cybersecurity vulnerabilities across control systems and operational technology environments, which can have a material impact on human safety and their businesses.”
Updates and Zero Trust_
The KPMG report shows that organizations with more developed cybersecurity plans are continually reviewing industrial control systems and therefore renew hardware and software systems with much greater frequency. Such updates drastically reduce the window of opportunity for exploiting potential vulnerabilities, as we explained when discussing the Windows Zerologon vulnerability. With this in mind, Cytomic Patch is undeniably a valuable aid, as it provides Cytomic customers with essential advice about security holes and also offers patch management for operating systems and third-party applications on Windows servers and workstations.
In any event, to prevent sophisticated cyberattacks such as Triton, updates on their own may not suffice. Additional comprehensive protection measures are required for endpoints, using a Zero-Trust approach, to prevent -by default- the execution of any binary until it has been duly classified as trusted. Cytomic EPDR includes such EDR capabilities along with a complete stack of protection features.