Number: AL17-015
Date: 21 December 2017
Purpose
The purpose of this alert is to bring attention to a recent and publicly disclosed incident involving an unexpected shutdown of an industrial processing plant.
Assessment
The incident has revealed an instance of malcode specifically crafted to compromise the operation of Schneider-Electric branded Triconex industrial safety controller devices. Publicly available sources and media reports indicate that this malicious code has been identified under the names TRITON, TRISIS and HatMan.
While there is currently no information that would indicate that the activity associated with this incident is widespread, access into to the industrial safety network could allow the deployment of malicious code and its execution. The application of security guidance from the manufacturer should sufficiently mitigate this risk.
Network segmentation and strict authentication and access controls should be in place wherever process controls and their safety systems are deployed. The same applies to automation and other types of controls as their communication protocols often lack the necessary authentication and integrity controls needed to prevent network replay attacks and counterfeit messages from occurring.
ICS-CERT has released a Malware Analysis Report (MAR-17-352-01 HATMAN) which outlines the tactics, techniques and procedures associated with the malicious code. ICS-CERT notes that although the malicious code “does not do anything catastrophic—safety systems do not directly control the process, so a degraded safety system will not cause a correctly functioning process to misbehave—it could be very damaging when combined with malware that impacts the process in tandem.”
Suggested Action
Schneider Security Recommendations
Schneider Electric recommends customers follow the instructions contained in the “Security Considerations” section within the Planning and Installation Guide for each respective Triconex controller (Tricon, Trident, Tri-GP), which include the following:
- Safety systems must always be deployed on isolated networks using zones and conduits as defined in IEC-62443.
- Physical controls should be in place so no unauthorized person has access to the plant, equipment rooms, safety controllers, safety peripheral equipment or the safety network.
- All controllers should reside in locked cabinets and never be left in the “Program” mode.
- All TriStation terminals (Triconex programming software) should be kept in locked cabinets and should never be connected to any network other than the safety network.
- All methods of mobile data exchange with the isolated safety network, such as CDs, USB drives, etc., should be scanned before use in the TriStation terminals or any node connected to this network.
- Laptops that are connected to any other network-- beside the safety network-- should never be allowed to connect to the safety network without proper sanitation.
- Operator stations should be configured to display an alarm whenever the Tricon keyswitch is in the “Program Mode”; key removed and secured.
- Enhanced security features in TriStation, as well as the Triconex communication modules, should be enabled.
References:
- https://www.schneider-electric.com/en/download/document/SEVD-2017-347-01/
- https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware
- https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
- https://dragos.com/blog/trisis/TRISIS-01.pdf
- https://dragos.com/blog/trisis/index.html?optin=no