The next wave? Modular component malware against industrial control safety systems

On December 14, 2017, industry was notified via open source reporting of an incident successfully targeting a single customer’s Triconex Tricon safety shutdown system. At least one cyber research firm stated the probable victim was in Saudi Arabia.

FireEye believes the attacker’s actions inadvertently caused the shutdown while probing the system to learn how it worked, said Dan Scali, who led FireEye’s investigation.  The attackers were likely conducting reconnaissance to learn how they could modify safety systems so they would not operate in the event that the hackers intended to launch an attack that disrupted or damaged the plant, he said.

DNG-ISAC issued a warning December 8th

DNG-ISAC reported that one or more groups associated with the CRASHOVERRIDE threat may be conducting intelligence in preparation for a new end-of-year attack against Ukraine. A concern exists that campaigns against energy infrastructure in Ukraine may be used as a virtual proving ground in the development of tactics, techniques, and procedures (TTPs). These TTPs, in turn, may be used in industrial control systems prevalent in other areas of the world by the use of various payload modules. The potential exists that commonly used equipment in a specific region can then be targeted by an adversary against identified infrastructure.

 While CRASHOVERRIDE did not include the DNP3 module that would have been required to adversely affect industrial control infrastructure found in the U.S. energy sector, the “plug-and-play” nature of the malware indicates that the potential exists for the creation of various modular payloads. For example, CRASHOVERRIDE contained, among others, a module to attack Siemens SIPROTEC safety systems.

The advent of anti-safety malware

At a recent presentation, representatives from a partner cyber security research organization shared an analysis of a lab-created DNP3 attack payload module for CRASHOVERRIDE and described some of their testing results. As an aside during the presentation, it was discussed that attacking safety systems could be used as an enabler to a wider attack.

In the incident successfully targeting a the Triconex Tricon safety shutdown system, some of the controllers entered a failsafe mode, which caused related processes to shut down and allowed the plant to identify the attack.

The modules used with the associated malware are specifically designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the key switch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.

A DHS statement mentioned, “This marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on hacking into utilities, factories and other types of critical infrastructure. Such attacks could allow hackers to shut down safety systems in advance of attacking an industrial plant, which could prevent plants from identifying and halting destructive attacks on those facilities.”

Conclusion

While there exist no imminent, specific, directly attributable credible threats against energy infrastructure in North America, attacks against Ukraine’s energy sector have occurred each December since 2015.

It is now verified that testing and development of anti-safety modules cyber weapons by adversary groups has continued through 2017.  Scans of energy infrastructure in North America continue to occur. It is prudent that the U.S. energy sector be familiar with current reporting on ICS-targeted malware and campaigns. An awareness of indicators, as well as unusual conditions previously unreported that may be observed within the U.S. energy sector, is vital to securing our sector.