A new kind of malware goes after industrial safety systems that provide emergency shutdown capabilities. It can cause damage or shut down operations.
The malware — which FireEye calls Tritonand Dragos calls TRISIS – is similar to the Stuxnet malware used in Iran in 2010 and Industroyer deployed in Ukraine in 2016. A recent Triton attack targeted Schneider Electric’s Triconex safety system, and the malware has already had at least one victim, the security research firms reported.
Like Stuxnet and Industroyer, Triton is most likely to be used by nation-state attackers against critical infrastructure – but it can also be used against other types of facilities. Data centers, for example, are filled with industrial control systems that manage life safety, power, cooling, and other critical environment factors, said Andrew Howard, CTO at Kudelski Security. “These systems provide a different attack vector into data centers,” he said.
Damage caused by these kinds of attacks is different than damage from the more common cyber threats. “They typically have a greater impact on the availability of systems and data than on the confidentiality or integrity aspects,” Howard said.
In addition, an attack on a data center’s safety system can have a larger “blast radius” than the traditional, more targeted attacks. For example, attackers might be going after just one of the companies using a particular data center. Taking out the entire facility would affect every other company that uses it.
As global tensions rise, hostile nation states might step up these kinds of attacks, said Art Gilliland, CEO at Skyport Systems, a Mountain View, California-based cybersecurity firm.
“We are going to see increases in these types of covert attacks designed to do damage or create disruption,” he said. “Much more investment from operators to modernize these public services will be required to protect them from attack.”
And it’s not just data centers’ safety systems that are at risk, said Ben Miller, director of threat operations at Dragos. “Data center HVAC and building automation systems are leveraging similar types of communications and controllers and are often overlooked,” he said. “Attacking these systems, similar to how TRISIS attacked safety systems, could impact backup power or cooling that are essential to equipment operation.”
Data center managers should work with facilities and the engineers that own these systems to understand how they communicate and how susceptible they may be to attack, he added.
“This incident should serve as a wakeup call to anyone managing critical infrastructure,” said Manoj Asnani, VP of product and design at Balbix, a San Jose, California-based cybersecurity firm.
“Access to critical systems should not be universal and should be restricted via network segmentation, a locked-down host, and multi-step authentication,” he said. “It is apparent that these kinds of preventative measures were not in place ahead of this TRISIS attack scenario. It’s imperative for critical infrastructure operators — including those in data centers — to get ahead of these security threats.”