A common practice at many sites is to allow engineers to access the operational network via Remote Desktop Protocol (RDP). This architecture can be much more dangerous when combined with engineering remote access. The danger is compounded by the fact that engineering station’s users are usually local administrators, leaving an attacker with an infinite attack surface to leverage. Obtaining access to the process control network, by gaining access to one of the PCs on that network, can be detrimental to the SIS because any machine on that network can access the SIS controllers. However, there has been a trend in the past decade toward integrating network infrastructure, placing the process control systems and the SIS controllers on the same general purpose network. The traditional approach to ICS networking is to segregate the communication infrastructure from the control assets.
Cyber shadow switch physical software#
Although these are stand-alone devices, they must be connected to engineering station PCs – in this case, running Windows – for software updates and maintenance. In the center of the network are the i ndustrial process controller and SIS devices. How the Triton RAT Made its Way to the Tricon Engineering Stationįigure 1 shows a typical ICS Ethernet Network. They can be used to steal sensitive information, spy on victim’s system, and ultimately remotely control infected devices. RATs are computer programs designed to provide attackers with complete control over the victim’s system. Now that the clouds are beginning to clear over the incident, we can try to better describe the malware internals and hypothesize the intent of the attackers.Īccording to the Schneider Electric Analysis and Disclosure, released on Jan 23, it seems that the attackers were trying to implant a remote access Trojan (RAT) inside the Triconex SIS. The SIS sensors would sense that and activate pressure relief valves that act as a “last line of defense” and vent the gasses out, essentially halting processes. This may be the result of a failure in one of the process control systems. Final control elements are typically actuated on-off switches or valves, designed to execute the logical decisions of the logic solver.Ĭonsider the case where an SIS has detected an unacceptable risk of explosion as a result of a pressure build-up inside a vessel. A logic solver is typically a controller that reads signals from sensors and executes pre-programmed actions, intended to prevent hazardous situations by providing output to final control elements. Sensors measure process parameters such as temperature, flow and pressure. The sensor is used to collect information necessary to determine if an emergency situation exists. These devices are not intended for controlling the process itself, but rather provide an overriding signal, so that immediate actions are taken if the process control systems fail.Īn SIS consists of three elements: a sensor, logic solver and final control element. By deploying and programming ICS devices, engineers have the ability to remotely monitor and control the different variables of the industrial process.Ī subcategory of ICS, an SIS is used to protect humans, industrial plants and the environment in case of a monitored process going beyond the allowed control margins.
Cyber shadow switch physical series#
Industrial control systems (ICS) are autonomous, computer-based devices, used extensively in oil refining, chemical processing, electrical generation and other industries where the creation of a product is based on a continuous series of processes being applied to raw materials. This blog post examines the attack and explains how it evolved and what mitigations can be offered to fence off such attacks in the future. It was clearly created to target that specific production plant and those specific systems. The attackers leveraged diverse technologies to develop the malware, from Windows-based attack vectors to reverse engineering of microprocessor-based firmware and communications. It’s these safety systems that shut down operations in nuclear facilities, oil and gas plants, water treatment facilities and more when hazardous conditions are detected. It’s the first reported attack on a safety instrumented system (SIS) – and it won’t be the last.Īttackers, believed to work for a nation state, used sophisticated malware – called Triton – to infiltrate one of Schneider’s Triconex safety systems. Schneider Electric SE recently fell victim to a breach of its safety system, which crippled operations at a critical infrastructure facility in the Middle East.
0 kommentar(er)
