Preventing cyber attacks against process, oil and gas safety systems

An attack that shut down a gas facility in Saudi Arabia last August could have been prevented if proper security hygiene was in play.

In that attack, the Saudi critical infrastructure user suffered a shutdown of its facility and the controllers of a targeted Triconex safety system failed safe. During an initial investigation security professionals noticed there were some suspicious things going on and that is when they found malware. The safety instrumented system (SIS) engineering workstation was compromised and had the Triton malware deployed on it. The distributed control system (DCS) was also compromised. It is possible to envision an attack where the attacker had the ability to manipulate the DCS while reprogramming the SIS controllers.

"Could the attack have been stopped? The answer is yes," said Gary Williams, senior director of technology, cybersecurity and communications at Schneider Electric during his talk last week at PAS 2018 Optics conference in Houston, TX. "Segmentation could help. Every time you bypass one, you increase risk."

"The attacker wasn’t at the company, not even in the country, Williams said. "The attack was highly sophisticated, focused on that one company and was not self-replicated. The Triton attack we believe was to create a catastrophic event. The attacker was able to get into the DMZ, then the process area and then into the safety system."

Attack details

The attack occurred August 4, 2017, where there was an unexplained emergency shutdown at the end user site.

A detailed investigation revealed multiple security lapses that enabled a sophisticated random access Trojan (RAT) malware attack across the DCS, the SIS and workstations. At that time, the safety system, after the attacker made some mistakes, detected an anomaly and safely shut the system down. No one is really sure right now if the shut down was the result of a direct attack or the attacker still conducting surveillance and getting sloppy and making a mistake. Either way, the system safely shut down the facility.

No matter the intent, this was a highly-targeted attack, Williams said.

He added the malware could only be successfully loaded if several conditions were present, including:

• The site must be using specific model of controller running specific version of firmware
• The safety network must be accessible either locally or remotely
• Attackers must have access to the SIS terminal or other machines connected to safety network

Ramifications of Triton extend far beyond the specific attack. Plus, some questions still remain.

While Williams did not discuss this during his talk, questions remain open about the attack like what was the true intended target? What were the motivations? The attackers did get into the safety system, but they also got into the DCS and what were they going after there?

Basic security rules, principles

To help avoid attacks, Williams said users should follow some basic security principles to ensure a solid security profile:

• There needs to be a risk-based defense-in-depth
• Need to follow standards and practices
• Follow vendor guidelines and practices
• Make cybersecurity part of the whole lifecycle
• Identify, minimize and secure all network connections to automation systems
• Improve product security across supply chain and development process
• Collaborate to improve standards, applications, and ease of implementation
• Educate all personnel involved in the operation, maintenance, engineering and support of automation systems
• Engage industry resources to step up and develop a pervasive cyber culture and constantly innovate
• Implement those cybersecurity practices, policies and procedures
• Remember this is all about collaboration.

When talking about security, it is all about people, process, and technology.

"Investing in people is the best return you will ever get," Williams said. "Our industry is under assault. We have a duty to respond to Triton which requires everyone to work together. We are trying to protect the people at the plant, the plant, and the area around the plant."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See related stories from ISSSource linked below.

Original content can be found at www.isssource.com.

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.