By Robert McMillan
Hackers who attacked a petrochemical plant in Saudi Arabia last
year gained control over a safety shut-off system that is critical
in defending against catastrophic events, according to security
researchers shedding light on what they describe as a new type of
cyberattack.
Security firms first disclosed the attack last month, but now
the company that makes the emergency shut-off system, Schneider
Electric SE, has analyzed code used in the attack and determined
its purpose.
The malicious software, dubbed Triton, was able to manipulate
Schneider devices' memory and run unauthorized programs on the
system by leveraging a previously unknown bug, said Andrew Kling, a
director of process automation cybersecurity with Schneider
Electric.
"It gives the attacker the ability to control what a safety
system will do in the event of an emergency," Mr. Kling said. The
company would not say how long the plant was compromised.
The 2017 attack represents a new phase in the increasingly
worrisome attacks on control-system computers used to manage
factory floors, chemical plants and utilities. The best-known such
attack, called Stuxnet, discovered in July 2010, manipulated the
industrial-control systems that run nuclear centrifuges, and
programmed the machines to destroy themselves.
Stuxnet was a joint effort by the U.S. and Israeli government
designed to disrupt Iran's nuclear program. The Triton code's
objective isn't clear, but it appeared to be a work in progress,
according to the security firms that analyzed it.
The Triton code targets safety-instrumented systems, a different
type of machine from the industrial controllers targeted by
Stuxnet. These systems act as one of the last lines of defense when
plant floors face dangerous situations that could lead to
explosions or spills.
"This is really the first breach of that safety protection
layer," said Marty Edwards, managing director with Automation
Federation, a trade group for industrial-systems professionals. "If
the basic control system gets hacked, the safety system is supposed
to protect you."
Once attackers have perfected a Triton-type attack, the "logical
next step" would be to combine it with a Stuxnet-type attack in
order to disrupt a plant and its safety back-up systems, said Rob
Lee, chief executive of the cybersecurity firm Dragos Inc.
The Triton attackers were able to reprogram a 16-year-old
version of a Schneider product, known as a Tricon TMR, after
gaining access to an engineering workstation, according to the
cybersecurity firm FireEye Inc., which was hired to investigate the
hack.
From the workstation, the Schneider devices can be reprogrammed
when a switch on the front of the device is set to "program," Mr.
Kling said. Schneider advises customers not to leave the switch set
to "program."
Schneider and FireEye declined to name the victim of the attack.
The attack occurred in Saudi Arabia, according to Mr. Lee.
Representatives from the Saudi Arabian consulate in the U.S.
didn't immediately respond to a request for comment.
Although the Triton code wouldn't work on newer versions of the
Tricon devices, there are thousands of older devices being used,
Mr. Kling said. Schneider is now developing a fix for its older,
vulnerable devices, Mr. Kling said.
Schneider learned of the incident Aug. 4, when a customer in the
petrochemical industry called to report one of the company's
systems had "tripped," prompting a plant shutdown, Mr. Kling
said.
The shutdown, which caused Schneider and others to investigate,
turned out to be a lucky break. It was prompted by a bug in the
Triton code, Mr Kling said. "The attackers messed up, which caused
the system to fail," he said.
The motivation behind the attack isn't clear, but it could have
been used for a range of activities, from stealing intellectual
property to something much worse, Mr. Kling said. "You can let your
mind run as far as Hollywood scriptwriter would run," he said.
The software is extremely difficult to detect, said Mr. Lee.
Plant owners who learn they have been hacked won't necessarily know
whether their safety-instrument system code was altered without
taking apart the system, he said.
Some details of the attack remain unclear. Mr. Kling declined to
say, for example, how the attackers were able to access the
petrochemical company's engineering station.
The attack was likely planned more than a year earlier, said
Marina Krotofil, an analyst with FireEye. The company's analysis
shows the malicious code found on the Schneider device was first
developed in June 2016, and the research required to write it would
have begun months before that, she said.
Triton's authors were a "sophisticated group," said Mr. Lee.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
January 18, 2018 14:55 ET (19:55 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
Grafico Azioni Schneider Electric (EU:SU)
Storico
Da Mar 2024 a Apr 2024
Grafico Azioni Schneider Electric (EU:SU)
Storico
Da Apr 2023 a Apr 2024