Re-emergence of TRITON malware elevates threat levels at critical energy infrastructure installations

With the resurgence of the TRITON malware and as these threats reach the industrial control systems (ICS) and supply chain frameworks, there is once again an enhanced need for critical infrastructure asset owners and operators to improve asset visibility, strengthen network access, and bolster overall organizational cybersecurity position. The amelioration of the threat landscape once again calls upon the ICS community, especially at critical energy infrastructure installations, to pull up their socks and be mindful of the risks posed to safety instrumented systems (SIS) and other control systems. 

TRITON is a custom-built, sophisticated, multi-stage malware that affects Schneider Electric’s Triconex Tricon, a safety programmable logic controller (PLC), also referred to as an SIS, which monitors industrial processes to prevent hazardous conditions. TRITON is capable of directly interacting with, remotely controlling, and compromising these safety systems. As these systems are used in a large number of environments, the capacity to disable, inhibit, or modify the ability of a process to fail safely could result in physical consequences.

The U.S. Department of Justice (DOJ) has publicly attributed TRITON malware to TsNIIKhM, a Russian government-controlled research institution that supports the Russian armed forces with advanced research, weapons, and cyber capabilities. In 2017, the Russians targeted a Saudi oil refinery using destructive malware. Subsequently, between February and July 2018, the conspirators researched similar refineries in the U.S., which were owned by a U.S. company, and unsuccessfully attempted to hack the U.S. company’s computer systems, the DOJ indictment added.

Analyst firm McKinsey expects on-demand access to ubiquitous data and information platforms to grow as hackers adopt artificial intelligence (AI), machine learning, and other technologies to launch increasingly sophisticated attacks over the next three to five years. In addition, the growing regulatory landscape and persistent gaps in resources, knowledge, and talent will outpace cybersecurity. Such projections require the critical infrastructure sector to carry out the appropriate actions.

Industrial Cyber contacted experts in the field about the implications of the recent reveal of U.S. security agencies and the Department of Energy about the TRITON malware and the fact that the intrusion ‘will likely continue’ threatening the energy sector. 

The Federal Bureau of Investigation (FBI) advisory of Mar. 24 states that the group responsible for the deployment of TRITON malware ‘continues to conduct activity targeting the global energy sector.’ The agency, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy made public historical data based on the multiple intrusion campaigns carried out by the state-sponsored Russian group from 2011 to 2018 against the energy sector. 

Assessing why the agencies have not released the TTPs (Tactics, Techniques, and Procedures) currently used by the state-sponsored Russian hackers targeting the critical energy infrastructure sector, Klaus Mochalski, founder and CEO of Rhebo, told Industrial Cyber that “this is for the FBI to answer.” 

“It is very likely to protect current intelligence, threat monitoring, and counter-measurements,” according to Mochalski. “In general, the documented TTPs are aligned with the up-to-date MITRE ATT&CK framework. And it’s very likely that adversaries use the same TTPs in terms of how to get what they want. It’s only the malware and specific tools that might differ. And those tools might still be unclear or not named by the FBI for strategic reasons,” he added.

“This is a good news/bad news situation,” Matt Hayden, senior vice president of government technology solutions at Exiger, told Industrial Cyber. “Good news is that there aren’t any new TTPs that aren’t in the hands of the defenders. What is known has been briefed and shared far and wide. The bad news is that historical tactics are still dangerous as bad actors look to implement them in additional and previously unseen environments,” he added.

“I don’t have any factual data as to why the TTP specifics remain sealed, but if I were to speculate on the reasons, it would be due to the sensitive nature of Bulk Electric System (BES) Critical Energy Infrastructure Information (CEII), per NERC CIP standards which specify the protection measures enforce for CEII,” Dick Brooks, co-founder and lead software engineer at Reliable Energy Analytics, told Industrial Cyber. “In other words, could a party describe the TTPs in enough detail without revealing CEII? I’m speculating the NERC CIP CEII protections may be playing a role in keeping the information sealed,” he added. 

The FBI warns the industry that ‘based on the attack framework and malware used in the original TRITON incident, a similar attack could be designed against other SIS.’ Analyzing the other possibilities, including the level of preparedness of ICS networks of the critical energy infrastructure sector to deal with such attacks and how quickly can sure effort be ramped in the operational environment, Mochalski pointed to the MITRE ATT&CK frameworks that outline a set of different possibilities and all of them are valid options for adversaries. 

“Though, the incidents of the past years (Crashoverride, NotPetya, SolarWinds, Log4Shell) have shown that it’s very likely that adversaries will focus on three strategies. Firstly, getting access via spearphishing (like with Crashoverride),” according to Mochalski. “This is particularly difficult for detection and mitigation efforts since adversaries will act through authorized channels.” 

Secondly, “identifying and exploiting zero-day vulnerabilities (like with Log4Shell). Zero-day vulnerabilities are very likely in industrial components and systems since they basically are ‘insecure by design,’” Mochalski said. “There is a very good chance for adversaries to find and exploit vulnerabilities in the operational technology long before any of the vendors knows of it, patches it and even longer before the affected company installs the patch,” he added. 

Thirdly, “compromising the supply chain (as seen with NotPetya and the SolarWinds incident),” Mochalski said. “The dependencies and high complexity of industrial systems have made the supply chain a prime target for attacks. Cybersecurity of a company is only as strong as the weakest link within its entire supply chain for digital assets,” he added.

Mochalski also added that for all three attack vectors, common ICS networks are not well prepared. “There might be some network segmentation as well as some firewalls or even data diodes in place. But since all three options outlined above bypass those measures, the ICS is an open playground for adversaries,” he said.

SIS systems have a very important role to protect from environmental variables getting dangerously out of range, Hayden said. “If those trusted platforms could be altered, then the system will become a tool of the adversary and reverse its safety role. Most ICS and SIS protection strategies start with network segmentation and restricting access to the ICS SIS system that may have challenges with being hardened,” he added. 

Network operators of ICS have the tools to protect their systems, but if they are not using network segmentation, they are operating without a net and should have extra attention, Hayden pointed out. 

Addressing the issue of how quickly efforts can be ramped in the operational environments, Hayden said that “protection efforts will increase in scale with modernization efforts. Have to get the modern trust systems and devices that had additional security and monitoring by design, vs older devices and systems which had a pure operational focus. Investment such as the recent Infrastructure Bill provided a great incentive to put modern security-based devices in the wild and at a quicker pace,” he added.

“The impacts from a cyber event range from minimal impact, where defensive measures contain an attacker from expanding their attack to much more severe impacts,” Brooks said. “In the case of a safety protection system (SPS), which is designed to protect life and prevent damage to equipment and the environment, the impact could be catastrophic. This is where Consequence-driven Cyber-informed Engineering (CCE) can help a party identify high impact scenarios that demand the most protective measures to limit damages and prevent fatalities,” he added. 

ICS technologies used in the electric system frequently have ‘fail-safe’ modes that activate autonomous controls designed to prevent a catastrophic event from occurring, according to Brooks. “A simple circuit breaker is an example of an autonomous safety protection device that many people can relate to,” he added. 

Exploring the unique challenges faced by organizations in the critical energy infrastructure sector, and how these enterprises work towards adapting to address the threats and close the gaps in the SIS, as the FBI observes that these ‘safety systems will likely continue to be targeted by sophisticated cyber actors,’ Mochalski mentioned that “what makes it even more challenging for the critical energy infrastructure sector is that a) component and infrastructure lifecycles are very long so security upgrades or just updates take ages, and b) most companies lack the resources in terms of know-how and personnel.”

“As the FBI pointed out in its advisory, Russia (and probably other state-sponsored adversaries) have been penetrating energy sector IT/OT in large-scale, long-term campaigns since 2011,” according to Mochalski. “It’s actually very likely that most networks have long been compromised, that the digital explosives have been put in place, and that the adversaries are just waiting for the command to push the button,” he added.

“Nonetheless, critical energy infrastructure companies still have a chance to get the upper hand. And – as we know and see from our customers in Europe – they do,” Mochalski said. “They recognize the fact that they might already be compromised – or at least that the perimeter defense alone (i.e. firewalls) is not sufficient. That there is no 100% security. They recognize the fact that the fight against cyberattacks doesn’t stop at the perimeter but continues within the OT (and IT) network. So they start to implement defense-in-depth by adding continuous OT security monitoring with integrated intrusion and threat detection (i.e. anomaly detection) to their arsenal,” he added. 

By that they establish visibility within their OT as well as the capability to detect any abnormal behavior of ICS and OT components that could affect the critical operation, Mochalski said. “And since personnel resources are scarce in most critical energy infrastructure companies, we generally support them with the integration and operation of the OT monitoring and anomaly detection as well the analysis of anomalies and mitigation tactics. That way they can learn on the job and build their own knowledge base,” he added.

“Work with cloud operating environments has taught us all that the bad actors will target trusted systems,” Hayden said. “Unlike authentication or other cloud trusted systems that can allow lateral movement within an environment if compromised, SIS compromise can use safety controls against an environment to cause physical failure or other negative outcomes,” he added. 

Critical Infrastructure operations must confirm the tools to monitor and maintain the SIS systems just as they would an authentication platform, and playbook their response to compromise and how to reduce downtime when/if their SIS system is involved in an incident, according to Hayden. “CISA and federal resources are available to help, but it starts with using tools to harden what you can and segmentation to add an air gap for everything that operates in that network,” he added.

“A significant percentage of US critical infrastructure is operated by small and medium-sized organizations, frequently employing less than 100 people, especially in smaller communities with municipal utility operations,” Brooks identified. “These smaller operators have the same type of safety protection systems within their ICS environments as larger operators and may be more vulnerable than a larger organization. Frequently, these smaller entities lack the cybersecurity skills and staff needed to keep up with the pace of threats and vulnerabilities coming from the hacker community,” he added. 

The hacker community knows these smaller entities are more vulnerable and easier targets to attack, Brooks said. “Smaller operators need help and this is where CISA becomes a valuable partner. CISA has resources and some free services available that can help critical infrastructure operators implement proper cybersecurity controls,” he added.

Brooks also touched on the availability of resources. He recommends that “critical infrastructure operators visit the CISA Critical Infrastructure website to view the resources available and reach out to their local CISA regional office for assistance. CISA’s infrastructure dependency primer is a good place to start learning about CISA’s resources for critical infrastructure operations. I attended a CISA Region 2 (New York) presentation on 3/23/2022 to electric grid operators in the Northeast US and Canada that provided some useful insights on the CISA services available, which also included insights into the new cyber-reporting requirements of the recently signed Strengthening American Cybersecurity Act of 2022,” he added. 

“Help is available; reach out,” Brooks concluded.