TRITON Malware Targeting Schneider Electric Triconex Safety Instrumented System Controllers

The NJCCIC has been alerted to a new malware variant designed to specifically target Schneider Electric Triconex Safety Instrumented System (SIS) controllers that are used to ensure industrial equipment, often employed by critical infrastructure sector members, is operating safely.

Threat 
Cybersecurity firm, Mandiant, a FireEye company, discovered a new malware variant designed to specifically target Triconex Safety Instrumented System (SIS) controllers. The malware, dubbed TRITON, was deployed at an undisclosed critical infrastructure organization after a threat actor gained remote access to a SIS engineering workstation in an effort to reprogram the SIS controllers. This incident caused some SIS controllers to enter a failed safe state, resulting in the automatic shutdown of the associated industrial process.

TRITON malware mimics the legitimate Triconex SIS controller management software for Windows workstations and has the capability to read and write programs, read and write individual functions, and query the state of a SIS controller. TRITON is also capable of communicating with Triconex SIS controllers, sending commands such as halt or read memory content, and reprogramming them with an attacker-defined payload. If the targeted controller fails, TRITON attempts to return it to a running state. If the controller is unable to recover within a specific timeframe, the malware overwrites itself with invalid data to evade detection and analysis. As SIS controllers are designed to read data from industrial equipment to ensure machinery is functioning property, any compromise to these systems has the potential to cause physical damage and disrupt operations.

This activity has not yet been attributed to any particular threat actor or Advanced Persistent Threat (APT) group; however, FireEye assesses with moderate confidence that the actor or group behind the TRITON campaign is sponsored by a nation state.

For more information on this threat, including Indicators of Compromise (IoCs), please review the following open-source FireEye report:

Reporting 
The NJCCIC has not received any reports of threat actors attempting to conduct this attack against New Jersey organizations or sectors; however, all Critical Infrastructure Sector members, especially those who use Schneider Electric Triconex Safety Instrumented System Controllers, should review the FireEye report as soon as possible and educate management, security teams, network administrators, and industrial control system operators about this threat. If your organization experiences or suspects attacks associated with this threat, please contact your local FBI field office immediately and report the incident to the NJCCIC via theCyber Incident Report form on our website.

FireEye Recommendations

  • Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network.
  • Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events.
  • Implement change management procedures for changes to key position. Audit current key state regularly.
  • Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
  • Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP.
  • Monitor ICS network traffic for unexpected communication flows and other anomalous activity.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.