Malcode affecting Triconex Industrial Safety Controllers

Number: AL17-015
Date: 21 December 2017

Purpose

The purpose of this alert is to bring attention to a recent and publicly disclosed incident involving an unexpected shutdown of an industrial processing plant.

Assessment

The incident has revealed an instance of malcode specifically crafted to compromise the operation of Schneider-Electric branded Triconex industrial safety controller devices. Publicly available sources and media reports indicate that this malicious code has been identified under the names TRITON, TRISIS and HatMan.

While there is currently no information that would indicate that the activity associated with this incident is widespread, access into to the industrial safety network could allow the deployment of malicious code and its execution. The application of security guidance from the manufacturer should sufficiently mitigate this risk.

Network segmentation and strict authentication and access controls should be in place wherever process controls and their safety systems are deployed. The same applies to automation and other types of controls as their communication protocols often lack the necessary authentication and integrity controls needed to prevent network replay attacks and counterfeit messages from occurring.

ICS-CERT has released a Malware Analysis Report (MAR-17-352-01 HATMAN) which outlines the tactics, techniques and procedures associated with the malicious code. ICS-CERT notes that although the malicious code “does not do anything catastrophic—safety systems do not directly control the process, so a degraded safety system will not cause a correctly functioning process to misbehave—it could be very damaging when combined with malware that impacts the process in tandem.”

Suggested Action

Schneider Security Recommendations

Schneider Electric recommends customers follow the instructions contained in the “Security Considerations” section within the Planning and Installation Guide for each respective Triconex controller (Tricon, Trident, Tri-GP), which include the following:

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: