https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/
By Martin Giles
MIT Technology Review
March 5, 2019
As an experienced cyber first responder, Julian Gutmanis had been called plenty
of times before to help companies deal with the fallout from cyberattacks. But
when the Australian security consultant was summoned to a petrochemical plant
in Saudi Arabia in the summer of 2017, what he found made his blood run cold.
The hackers had deployed malicious software, or malware, that let them take
over the plant’s safety instrumented systems. These physical controllers and
their associated software are the last line of defense against life-threatening
disasters. They are supposed to kick in if they detect dangerous conditions,
returning processes to safe levels or shutting them down altogether by
triggering things like shutoff valves and pressure-release mechanisms.
The malware made it possible to take over these systems remotely. Had the
intruders disabled or tampered with them, and then used other software to make
equipment at the plant malfunction, the consequences could have been
catastrophic. Fortunately, a flaw in the code gave the hackers away before they
could do any harm. It triggered a response from a safety system in June 2017,
which brought the plant to a halt. Then in August, several more systems were
tripped, causing another shutdown.
The first outage was mistakenly attributed to a mechanical glitch; after the
second, the plant's owners called in investigators. The sleuths found the
malware, which has since been dubbed "Triton" (or sometimes "Trisis") for the
Triconex safety controller model that it targeted, which is made by Schneider
Electric, a French company.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
