Hackers Target Triconex- Halting All Plant Operations

State sponsored hackers invaded the safety software system of a critical infrastructure plant (electric/water/sewage etc.) and halted its operations. The hackers targeted Triconex industrial safety technology from Schneider Electric.

Schneider declined to identify the victim, industry or location of the attack but have confirmed the incident had occurred and that it had issued a security bulletin saying that “While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors”. The alert was issued to all other users of Triconex most of them in the energy industry including oil, gas and nuclear plants and that it is working with the US Department of Homeland Security to investigate the attack.

The US government has again issued a public warnings to industry about attempts by hackers from nation’s states including Iran, North Korea and Russia attacking companies that run critical infrastructure and other sensitive organisations identifying them as prime targets and that the government continues to assess the potential impact.

Several other sources suggest that the effected facility was in the middle east and some have gone as far as naming Iran as the perpetrator and Saudi Arabia as the victim, claiming that it is the same Iranian group that was responsible for a series of attacks on Saudi Arabian networks in 2012 and 2017 using a virus known as Shamoon.

It marks the first reported hack and shut down of a software safety system at a utilities factory or other type of critical infrastructure.

Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.

Safety software systems can be manipulated to indicate that everything is okay while critical systems are shut down.  In an energy intensive plant the outcome could be devastating making this a watershed event in hacking history.

There is no doubt that other hackers will attempt to copy this kind of attack.

The hackers used sophisticated malware to take over control of a workstation running the Schneider Electric Triconex safety shutdown system and attempted to reprogram controllers used to identify safety breaches and issues.

Some of the targeted controllers entered a failsafe mode which caused related shutdowns in the plant and notified the plant operators of the attack. Being the first of its kind, the attackers inadvertently caused the shutdown while learning the system.

The first malware capable of disrupting industrial processes, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

The second, known as Crash Override or Industroyer, was discovered last year by researchers who said it was likely used in a December 2016 attack that cut power in Ukraine and is likely the work of state sponsored Russian hackers.

This malware, which has been dubbed Triton, is only the third one discovered to date and the first likely used by a third world country against another.

Looking to stay cyber safe this holiday season? Read our 5 tips here.