Trisis ICS malware was publicly available after attack

The malware used in an industrial control system attack in December has been found circulating publicly on the internet after being copied from an online database.

The

Trisis
industrial control system (ICS) malware was first disclosed by FireEye’s Mandiant threat research team on Dec. 14,

2017
after an attack on an unknown organization. The malware specifically targeted the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and has been called either Triton or

Trisis
because of this. One week after the initial reveal by Mandiant, Schneider Electric reportedly posted a file containing sensitive pieces of the

Trisis
malware framework to VirusTotal — an antivirus scan database owned by Google — on Dec. 22nd.

Cyberscoop, which first reported the story, said Schneider Electric quickly received a notice to remove the file from VirusTotal, but before the file could be removed it had already been copied and reposted to other code repositories like GitHub and has been freely available ever since.

Although the

Trisis
framework accidentally posted by Schneider Electric by itself would not be enough to recreate the ICS malware, the main

Trisis
executable — Trilog.exe — had also been published.

Paul Brager Jr., technical product security leader at Baker Hughes, based in Houston, Texas, and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said “it is highly conceivable that variants of

Trisis
could surface that are tailored toward control systems by Siemens, Rockwell Automation, Honeywell or other digital industrial manufacturers.” 

“Because most control environments are not homogenous, patching one series of vulnerabilities for a particular manufacturer does not necessarily lessen the exposure to the infrastructure from something like

Trisis
, or a variant therein,” Brager told SearchSecurity. “What we are seeing is an effort to engage control systems not only at the constituent

components,
but the underlying systems that seek to manage those control environments.  Just as

Trisis
was written to target a specific Schneider SIS, there is nothing preventing

nation state
actors with the means and resources to refashion

Trisis
to target any SIS or other ICS subsystem with vulnerabilities that can be exploited.”

Eddie Habibi, founder and CEO of PAS Global, an ICS cybersecurity company headquartered in Houston, Texas, said the problem is that “there are two speeds in ICS cybersecurity — industry speed and hacker speed.” 

“Hackers can move much more quickly than industry. 

Industry
may not patch a system for months or ever, depending on assessed risk,” Habibi told SearchSecurity. “Although this may sound ominous,

industry
does have safeguards in place that protect reliability and safety. The problem is that hackers are learning more about these systems and how to manipulate them as we saw in the

Trisis
attack.”

Bryan Singer, director of industrial cybersecurity services at IOActive, the cybersecurity company headquartered in Seattle, Wash., said the threat of

Trisis
being repurposed may not have sunk in with organizations.

“Wake up calls haven’t woke anybody up. In watershed moments such as Equifax, Target

and
Triconex, everyone freaks out but doesn’t do anything,” Singer told SearchSecurity. “We’ll see a lot of the same here — people like to dismiss the threat and think it won’t happen because they’re not being targeted. IT proves this completely untrue. There are far too many attack mechanisms to say it won’t happen to us.”

ICS patching issues

Experts noted that if organizations don’t fully recognize the threat, it may be even more difficult to harden security because of the inherent differences in patching ICS.

Brager noted that patching in ICS environments can be especially tricky since “many of the components, applications, and services are proprietary and highly interdependent.”

“Because of the critical process potential of ICS systems and their components, significant testing is usually required to ensure that an applied patch yields an expected outcome and does not interfere with, or degrade in any fashion, the operations of the control system,” Brager said. “This requirement and diligence typically

extends
out the patching cycle within [operational technology (OT)] environments, often months, and ultimately depends on the ability to patch and the resource availability to do so.”

Emily Miller, ‎director of national security and critical infrastructure programs at Mocana, and formerly the chief of process management for the DHS ICS Cyber Emergency Response Team, said the flaws that allowed the

Trisis
attack were not an inherent vulnerability in the device, but “due to poor cyber hygiene.”

“In operational

environments
patching is tricky business — remember, in OT we’re talking about devices that control physical processes that can impact lives, not just bits

and
bytes of data,” Miller told SearchSecurity. “Quickly patching devices, as you would expect to see in an IT environment, can have real, catastrophic consequences in an operational environment.”

ICS defense

Brager said that traditionally ICS systems are kept isolated from external networks but growing interconnectivity is making security more difficult.

“For many years, ICS environments were largely thought to be physically and logically isolated from other networks and/or environments. Connectivity was largely a function of interconnected buses and

short run
links that allowed communication through a closed loop architecture,” Brager said. “Network enablement of components within ICS expanded the threat landscape exponentially, as systems that were not originally designed to be internet/network facing, suddenly were — and the facilities needed to patch these devices were largely immature and arduous.

Habibi agreed that isolating ICS is no longer a sufficient security strategy.

“After years of reconnaissance, the bad guys have shown they can penetrate those defensive layers, bridge the illusory air gap, and take deliberate control over

process
CRASHOVERRIDE did not need a vulnerability to bring down power in

the Ukraine
— only ICS and process knowledge that had been built over time,” Habibi said. “A successful

Trisis
-like attack, under certain circumstances, can lead to a catastrophic accident. Consider a scenario where a skilled malicious attacker breaches a Triconex system, which is designed to safely shut down a reactor in a fluid catalytic cracking unit in a refinery, by bypassing the trip function. This simple change could act as a time bomb and remove the failsafe that ultimately protects the plant from a catastrophic event.”

Miller said the

Trisis
attack is “more evidence that we need to start approaching this problem differently.” 

“Rather than continuing to chase vulnerabilities and trying to implement an IT approach to OT security, we should instead think about how we can make critical devices inherently secure and more difficult for hackers to gain access,” Miller said. “Without access to an ICS device, hackers cannot begin to take advantage of a vulnerability. Certainly, defense in depth methodologies and good cyber hygiene are a part of the solution, but what happens when those techniques fail, and the actors can remotely access a device and potentially manipulate it?”

Author: administrator