On December 14, 2017, industry was notified via open source reporting of an incident successfully targeting a single customer\u2019s Triconex Tricon safety shutdown system. At least one cyber research firm stated the probable victim was in Saudi Arabia.FireEye believes the attacker\u2019s actions inadvertently caused the shutdown while probing the system to learn how it worked, said Dan Scali, who led FireEye\u2019s investigation.\u00a0 The attackers were likely conducting reconnaissance to learn how they could modify safety systems so they would not operate in the event that the hackers intended to launch an attack that disrupted or damaged the plant, he said.DNG-ISAC issued a warning December 8thDNG-ISAC reported that one or more groups associated with the CRASHOVERRIDE threat may be conducting intelligence in preparation for a new end-of-year attack against Ukraine. A concern exists that campaigns against energy infrastructure in Ukraine may be used as a virtual proving ground in the development of tactics, techniques, and procedures (TTPs). These TTPs, in turn, may be used in industrial control systems prevalent in other areas of the world by the use of various payload modules. The potential exists that commonly used equipment in a specific region can then be targeted by an adversary against identified infrastructure.\u00a0While CRASHOVERRIDE did not include the DNP3 module that would have been required to adversely affect industrial control infrastructure found in the U.S. energy sector, the \u201cplug-and-play\u201d nature of the malware indicates that the potential exists for the creation of various modular payloads. For example, CRASHOVERRIDE contained, among others, a module to attack Siemens SIPROTEC safety systems.The advent of anti-safety malwareAt a recent presentation, representatives from a partner cyber security research organization shared an analysis of a lab-created DNP3 attack payload module for CRASHOVERRIDE and described some of their testing results. As an aside during the presentation, it was discussed that attacking safety systems could be used as an enabler to a wider attack.In the incident successfully targeting a the Triconex Tricon safety shutdown system, some of the controllers entered a failsafe mode, which caused related processes to shut down and allowed the plant to identify the attack.The modules used with the associated malware are specifically designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the key switch to be in the \u201cPROGRAM\u201d mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.A DHS statement mentioned, \u201cThis marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on hacking into utilities, factories and other types of critical infrastructure. Such attacks could allow hackers to shut down safety systems in advance of attacking an industrial plant, which could prevent plants from identifying and halting destructive attacks on those facilities.\u201dConclusionWhile there exist no imminent, specific, directly attributable credible threats against energy infrastructure in North America, attacks against Ukraine\u2019s energy sector have occurred each December since 2015.It is now verified that testing and development of anti-safety modules cyber weapons by adversary groups has continued through 2017.\u00a0 Scans of energy infrastructure in North America continue to occur. It is prudent that the U.S. energy sector be familiar with current reporting on ICS-targeted malware and campaigns. An awareness of indicators, as well as unusual conditions previously unreported that may be observed within the U.S. energy sector, is vital to securing our sector.