Cyber Attack Highlights Risks to Industrial Control Systems and Potential for Real-World Consequences
A recent cyber attack at an unnamed critical infrastructure location consisted of malware capable of causing real-world physical damage, according to a report released by the security firm FireEye. While forensic investigators have not publicly attributed the incident to a specific threat actor, FireEye believes “the activity is consistent with a nation state preparing for an attack.” Operators of Industrial Control Systems (ICS) should review their cyber posture in light of this and similar attacks. While senior officials promise “swift and costly consequences on foreign governments” and others who perpetrate “significant malicious cyber activities,” attribution is difficult and policymakers expect those controlling critical infrastructure and other companies to secure their operations.
The malware identified in the investigation, which is being called “Triton,” targeted a safety instrumented system (SIS), which is a type of ICS or Operational Technology (OT). SIS is commonly used by critical infrastructure operators to prevent unsafe conditions and provide emergency shutdown capabilities. Operators use these systems to interact with physical equipment or processes and automatically shut down in order to prevent life-threatening accidents, for example, by monitoring and responding to high temperature or pressure readings.
After obtaining remote access to a system workstation, such as a computer connected to the SIS equipment or device, the attackers deployed the Triton malware which reprogramed the industrial controls in order to modify the behavior of the SIS equipment.
FireEye “assess[es] with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations.” The inadvertent outage likely occurred while the attackers were performing reconnaissance on the system.
Attribution of such efforts is notoriously difficult and sensitive. The United States publicly attributed the WannaCry attack to North Korea on December 18, 2017, many months after it was launched. In concluding that a nation-state or nation-state affiliated actor is likely responsible for this attack on the SIS, FireEye weighed:
- The affected system’s sensitivity;
- The sophisticated technical resources necessary to test and launch such an attack;
- A lack of clear monetary motive or benefit to the hackers; and
- The potential for a “high-impact attack with physical consequences.”
With those factors in mind, FireEye believes the attack did not stem from a criminal organization or independent actor.
Hacks on critical infrastructure operators and ICS have been of increasing concern and this latest claimed attack on SIS equipment represents an apparent escalation. This present threat should also be viewed with historical context. In 2015 and 2016, attacks on the Ukrainian power grid resulted in prolonged power outages, and the Stuxnet worm, which was uncovered in 2010, targeted Supervisory Control and Data Acquisition (SCADA) systems.
Additionally, there have been reports of nation-state affiliated groups engaging in longer term intrusions of critical infrastructure ICS. And although those intrusions may not have resulted in disrupted or disabled operations, the Triton malware shows that capability is being explored and could be exploited.
Fortunately, the Triton malware featured in the attack was not used to its full potential. However, the implications of Triton remain troublesome. The likely intent was to cause an eventual failure in the system’s ability to detect and prevent unsafe conditions, which could have life-threatening consequences.
Critical infrastructure owners and operators continue to face the daunting task of securing their industrial controls, including—as evidenced by the Triton malware—systems that interact with physical environments, against sophisticated and unpredictable attackers. Regulators and policymakers are concerned about the security of ICS and will continue to look at ways to assure security.
 White House, 2017 National Security Strategy of the United States of America at 13 (Dec. 18, 2017).
 Thomas Bossert, It’s Official: North Korea Is Behind WannaCry, The Wall Street Journal (Dec. 18, 2017).