Triton malware, which can shut down industrial safety systems, causing damage to facilities and threatening human life, targets the industrial internet of things. Credit: Getty Images As IIoT grows in prominence, so too does its status as a target for malicious hackers – particularly given its increased impact on the physical world; the latest and potentially most dangerous is called Triton. Triton first reared its ugly head near the end of 2017, according to security company Fireeye. It targets an industrial safety system made by Schneider Electric that monitors and secures valves, turbines and the like and shuts them down if it determines they are about to fail and cause explosions or other consequences that could damage the facility or cause harm to people. (It’s named Triton because it targets the widely used Schneider Electric Triconex industrial safety system.) Patrick Daly, an IoT security analyst at 451 Research, said direct attacks against the Triconex system are frightening. “It’s the only real instance we’ve seen where it’s designed to disrupt operations but that if attacks are carried out using it, people could get hurt,” said Daly. Superficially, operational technology networks are a relatively hard target to infect with malware because directly attacking the network often requires physical access. Yet the same IT network that bad actors have been practicing against for decades offers them a way in. The same social engineering techniques that have proven effective time after time can provide an attacker with access to the IT network, and, from there, interference with OT can commence. “The actual path is very similar to what happens in general cybersecurity, but what is very interesting is, again, the impact and the need for creating [industrial control system] security with more of a light glove than what we use to control IT systems,” said IoTium CTO Sri Rajagopal. The problem, according to Dave Weinstein, vice president of threat research at industrial cybersecurity firm Claroty, is that it’s far from a trivial task to separate the OT and IT networks in a secure way. Flat networks, with no segmentation, are easy targets for malicious hackers, but the process of segmenting the networks logically, while maintaining the required interconnectivity, requires a lot of work, mostly configuring firewalls, switches and other gear to enforce the logical separation of the different network segments. “Network segmentation projects can last years, especially at the enterprise level and especially with multinational corporations,” he said. What’s to be done? The first thing, experts agree, is to recognize that the “security-by-obscurity” approach won’t work anymore, and to inventory what’s on your network. Visibility, all three experts agreed, is everything, and it’s something that many companies aren’t working on hard enough. Weinstein said that when his firm conducts site visits for clients and asks for asset inventory they’re often handed documentation that doesn’t reflect the full list of devices on the network. Separating different parts of the OT network into logical, or in the case of big companies with widely distributed facilities, geographically-based zones also helps to stop the spread of malware. But the task of segmentation ties into the need for an accurate inventory. It is vastly more difficult to segment a network if a company’s not aware of all the devices on it. It’s important to recognize that operational tech has a different vocabulary and different considerations from IT, and that’s a gap that has to be bridged Weinstein said. “A big part of solving the problem is about translating that OT syntax into nouns, adjectives and verbs that IT practitioners are more accustomed to dealing with,” he said. “If you can’t enable a human analyst to quickly triage an alert without spending hours or days analyzing a given event … then, ultimately, we’re not helping anyone.” Once the network is configured correctly IoT practitioners could start taking more active measures to look for security holes, Daly said. Having formalized processes around managing security, being able to follow up on and investigate alerts and being compliant with industry standards are all important next steps. After that, active threat hunting is a possibility. “You want to have the basics tackled, before you start going out and hunting for this thing,” he said. Related content news Cisco marries AI and security with cloud-based data center offering Cisco announces AI-based Hypershield, a self-upgrading security fabric that's designed to protect distributed applications, devices and data. By Michael Cooney Apr 18, 2024 5 mins Network Security Data Center how-to Shredding files on Linux with the shred command The shred command is a good option for removing files from a Linux system in a way that makes them virtually impossible to recover. By Sandra Henry-Stocker Apr 18, 2024 4 mins Linux news Intel announces edge AI processors New edge-optimized processors and FPGAs will power AI-enabled devices in vertical industries including retail, industrial and healthcare. By Andy Patrizio Apr 18, 2024 3 mins CPUs and Processors Edge Computing news HPE sues China’s Inspur Group for server patent infringement HPE has accused Inspur of infringing on more than 10,000 active patents, specifically those related to its server technologies, such as general-purpose servers, rack servers, high-density servers, and AI servers. By Sandeep Budki Apr 18, 2024 4 mins Technology Industry Servers PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe