Hackers breach industrial safety systems

30 January 2018

In December, details emerged of a sophisticated cyber attack that halted operations at a power plant in the Middle East. Described as a ‘watershed moment’ that marks the first reported breach of a safety system at an industrial plant.

According to cyber security firm FireEye, the hackers – believed to be state-sponsored –targeted Triconex industrial safety technology made by Schneider Electric, which is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.

The attack used sophisticated malware known as Triton to remotely control a safety instrumented system (SIS), used to autonomously monitor potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents.

In the case revealed by FireEye, the malware triggered a fail-safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The cyber security firm believes that that the attacker inadvertently caused the shutdown while developing the ability to cause physical damage.

According to Symantec, Triton works by infecting a Windows computer that connects to a SIS device. Theoretically the malware could enable hackers to disable safety controls and cause physical damage, such as a fire, explosion or leak, as well as business interruption, it says.

Much of the debate around the cyber security risks of ICS has centred on the potential for physical damage. Yet this latest attack highlights the potential for business interruption losses from an attack on an industrial control system (ICS), even when it has not resulted in physical damage.

Increased concern

The attack revealed by FireEye adds to growing concern over cyber security for critical infrastructure. In 2016, an Iranian hacker accessed the control system at a flood control dam in New York while in December of the same year an attack shutdown part of the power grid in Ukraine.

The first known example of malware targeting industrial control systems was Stuxnet, which was designed to attack programmable logic controllers used in the Iranian uranium enrichment programme.

Separately, malware used in the attacks against the Ukrainian energy sector in 2016 contained a component designed to target industrial control systems, according to Symantec.

Cyber attacks against industrial control systems and critical infrastructure are becoming more frequent, according to Kaspersky Lab. Over half of the industrial companies interviewed by the cyber security firm in a 2017 survey said that they had experienced at least one incident in the last 12 months with 21% experiencing two incidents. For companies with over 500 employees, 71% experienced between two and five cyber security incidents.

The survey also found that 83% of industrial groups feel prepared to manage cyber risk, but Kaspersky believes that they may be misguided in their preparedness as the current overall approach to ICS cyber security is “chaotic”. It also noted that just one in five industrial businesses are required to report breaches – suggesting that many incidents could be going unreported.

Download Cyber Newsletter

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com