Triton and the new wave of IIoT security threats

As IIoT grows in prominence, so too does its status as a target for malicious hackers – particularly given its increased impact on the physical world; the latest and potentially most dangerous is called Triton.

Triton first reared its ugly head near the end of 2017, according to security company Fireeye. It targets an industrial safety system made by Schneider Electric that monitors and secures valves, turbines and the like and shuts them down if it determines they are about to fail and cause explosions or other consequences that could damage the facility or cause harm to people. (It’s named Triton because it targets the widely used Schneider Electric Triconex industrial safety system.)

Patrick Daly, an IoT security analyst at 451 Research, said direct attacks against the Triconex system are frightening.  “It’s the only real instance we’ve seen where it’s designed to disrupt operations but that if attacks are carried out using it, people could get hurt,” said Daly.

Superficially, operational technology networks are a relatively hard target to infect with malware because directly attacking the network often requires physical access. Yet the same IT network that bad actors have been practicing against for decades offers them a way in. The same social engineering techniques that have proven effective time after time can provide an attacker with access to the IT network, and, from there, interference with OT can commence.

“The actual path is very similar to what happens in general cybersecurity, but what is very interesting is, again, the impact and the need for creating [industrial control system] security with more of a light glove than what we use to control IT systems,” said IoTium CTO Sri Rajagopal.

The problem, according to Dave Weinstein, vice president of threat research at industrial cybersecurity firm Claroty, is that it’s far from a trivial task to separate the OT and IT networks in a secure way. Flat networks, with no segmentation, are easy targets for malicious hackers, but the process of segmenting the networks logically, while maintaining the required interconnectivity, requires a lot of work, mostly configuring firewalls, switches and other gear to enforce the logical separation of the different network segments.

“Network segmentation projects can last years, especially at the enterprise level and especially with multinational corporations,” he said.

What’s to be done?

The first thing, experts agree, is to recognize that the “security-by-obscurity” approach won’t work anymore, and to inventory what’s on your network. Visibility, all three experts agreed, is everything, and it’s something that many companies aren’t working on hard enough.

Weinstein said that when his firm conducts site visits for clients and asks for asset inventory they’re often handed documentation that doesn’t reflect the full list of devices on the network.

Separating different parts of the OT network into logical, or in the case of big companies with widely distributed facilities, geographically-based zones also helps to stop the spread of malware. But the task of segmentation ties into the need for an accurate inventory. It is vastly more difficult to segment a network if a company’s not aware of all the devices on it.

It’s important to recognize that operational tech has a different vocabulary and different considerations from IT, and that’s a gap that has to be bridged Weinstein said.

“A big part of solving the problem is about translating that OT syntax into nouns, adjectives and verbs that IT practitioners are more accustomed to dealing with,” he said. “If you can’t enable a human analyst to quickly triage an alert without spending hours or days analyzing a given event … then, ultimately, we’re not helping anyone.”

Once the network is configured correctly IoT practitioners could start taking more active measures to look for security holes, Daly said. Having formalized processes around managing security, being able to follow up on and investigate alerts and being compliant with industry standards are all important next steps.

After that, active threat hunting is a possibility.

“You want to have the basics tackled, before you start going out and hunting for this thing,” he said.