The implications of TRITON for the future of ICS security

The implications of TRITON for the future of ICS securityDefault blog imageDefault blog image
22
Jan 2018
22
Jan 2018

The recent TRITON malware attack against a critical infrastructure organization sought to modify and manipulate industrial safety systems with the intention of causing potentially catastrophic physical damage. ICS systems create an interface between physical and digital environments, meaning that the repercussions of an unhandled failure can be fatal.

The TRITON campaign can be divided into two conceptual phases. First, the attackers managed to gain remote access to an engineering workstation attached to the SIS (Safety Instrumented System) network, after which they deployed a program that was masquerading as a legitimate application produced by a critical control and system safety supplier. The framework for mimicking this legitimate application is not readily available, so there is reason to believe TRITON is the creation of well-funded and highly capable actors with intentions that probably reach beyond minor monetary gains.

The attackers successfully subverted traditional network defenses. Once they had established this foothold, they opted to delve deeper into the network and perform detailed reconnaissance – the second phase of the attack. Thankfully, they accidentally triggered a partial system failure which the internal security team investigated and remediated.

Having failed to achieve their ultimate goal, the attackers will likely be evaluating where they went wrong, so that next time they don’t give themselves away at such a late stage. They may also be considering whether that reconnaissance step is worthwhile, as clearly, they were capable of significant sabotage from that location without any further chances to be caught. Their success in penetrating the network as far as they did undetected with their current tools and methods means that they will almost certainly use them against other organizations.

TRITON should be considered a significant precedent for ICS security. What this incident shows is that traditional demilitarized zones, heavy network segregation and multiple firewalls are definitively not sufficient to protect the essentially defenseless machines that make up ICS networks. How then should infrastructure providers adjust their security postures in the light of the TRITON attack?

With regards to the second phase, anomaly detection is a clear solution for pinpointing unusual activity within the control system, highlighting unexpected reprogramming or reconnaissance for the security team’s attention. The typically predictable communications made between ICS devices such as HMIs and PLCs are intuitively a fertile ground for this type of approach. Regulators have taken notice, and in the UK for example the incoming NIS Directive legislation mandates that critical infrastructure providers have anomaly detection for their relevant networks.

However, defenders do not want their first opportunity to catch the attacker to be when they have already reached the control system and are making use of automation protocols and exploiting inherently vulnerable devices. They want to be alerted to the earlier parts of the cyber kill chain, as the attacker makes their way towards these networks, and be able to remediate them there instead. This can only be achieved by extending the anomaly and cyber-threat detection outwards from the control system through the other networks (demilitarized zones, corporate) that can form defensive buffers around it.

This is why Darktrace’s Industrial Immune System is designed to monitor all of these networks simultaneously, embracing the full range of device types from PLCs out through the nearly standard IT systems in OT control rooms, and all the way to the edge of the organization’s possible visibility – even into the cloud if need be. It is not sufficient for those tasked with protecting control system to monitor just the automation protocols or the networks that contain them.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Andrew Tsonchev
VP of Technology

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.

share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
The implications of TRITON for the future of ICS security
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
For more information, please see our Privacy Notice.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out this article by Darktrace: The implications of TRITON for the future of ICS security