Cyber Security
What industrial Control system malware means
T By Daniel Marsh
RISIS, otherwise known as TRITON and HATMAN is a piece of malware that targets industrial control systems (ICS) and was discovered in late 2017. This malware was written specifically to target the Schneider Electric Triconex safety instrumented system (SIS), specifically the Triconex 3008 processor module (Dragos, 2017). As sensational as some articles might be, TRISIS did nothing, an error in the code prevented successful execution which would have disabled the SIS and led to operations halting or a complete disaster. The real impact of TRISIS is not the physical damage and destruction that could have occurred, but the resulting code being modified and targeted at different SIS and a whole new world of attacks against industrial control systems (ICS) worldwide. TRISIS may be considered a proof of concept, it proved quite spectacularly that not only are ICS vulnerable to attack but that the attackers were persistent in the environment for more than 12 months without being detected. TRISIS was most definitely not the first malware to target industrial control systems, not only has there been predecessors specifically targeted at destroying the uranium enrichment process but common ransomware has infected human-machine interfaces (HMI) causing loss of monitoring and control, and ultimately blackouts across entire countries. TRISIS is said to be a game changer (Dragos, 2017), not only because of the successful persistent threat, but also the specific targeting of SIS and the capability to potentially bring these life-saving devices down. Although the world has experienced that connecting
42 | Australian Cyber Security Magazine
Figure 1 - open enterprise security architecture
devices and convergence without performing due diligence a generally bad idea and targets are primarily opportunistic (exceptions do exist, of course), not connecting devices does not make you safe. Air gaps can be breached, sometimes very easily by carrying a USB key, sometimes they're breached because of poor documentation, and sometimes they are breached through highly sophisticated attacks using voltage changes to transfer data between devices (Guri, 2018).
