Hack at Saudi Petrochemical Plant Compromised a Safety Shut-Off System--Update
Hackers who attacked a petrochemical plant in Saudi Arabia last year gained control over a safety shut-off system that is critical in defending against catastrophic events, according to security researchers shedding light on what they describe as a new type of cyberattack.
Security firms first disclosed the attack last month, but now the company that makes the emergency shut-off system, Schneider Electric SE, has analyzed code used in the attack and determined its purpose.
The malicious software, dubbed Triton, was able to manipulate Schneider devices' memory and run unauthorized programs on the system by leveraging a previously unknown bug, said Andrew Kling, a director of process automation cybersecurity with Schneider Electric.
"It gives the attacker the ability to control what a safety system will do in the event of an emergency," Mr. Kling said.
The 2017 attack represents a new phase in the increasingly worrisome attacks on control-system computers used to manage factory floors, chemical plants and utilities. The best-known such attack, called Stuxnet, manipulated the industrial-control systems that run nuclear centrifuges, and programmed the machines to destroy themselves.
Stuxnet was a joint effort by the U.S. and Israeli government designed to disrupt Iran's nuclear program. The Triton code's objective isn't clear, but it appeared to be a work in progress, according to the security firms that analyzed it.
The Triton code targets safety-instrumented systems, a different type of machine from the industrial controllers targeted by Stuxnet. These systems act as one of the last lines of defense when plant floors face dangerous situations that could lead to explosions or spills.
"This is really the first breach of that safety protection layer," said Marty Edwards, managing director with Automation Federation, a trade group for industrial-systems professionals. "If the basic control system gets hacked, the safety system is supposed to protect you."
Once attackers have perfected a Triton-type attack, the "logical next step" would be to combine it with a Stuxnet-type attack in order to disrupt a plant and its safety back-up systems, said Rob Lee, chief executive of the cybersecurity firm Dragos Inc.
The Triton attackers were able to reprogram a 16-year-old version of a Schneider product, known as a Tricon TMR, after gaining access to an engineering workstation, according to the cybersecurity firm FireEye Inc., which was hired to investigate the hack.
From the workstation, the Schneider devices can be reprogrammed when a switch on the front of the device is set to "program," Mr. Kling said. Schneider advises customers not to leave the switch set to "program."
Schneider and FireEye declined to name the victim of the attack. The attack occurred in Saudi Arabia, according to Mr. Lee.
Representatives from the Saudi Arabian consulate in the U.S. didn't immediately respond to a request for comment.
Although the Triton code wouldn't work on newer versions of the Tricon devices, there are thousands of older devices being used, Mr. Kling said. Schneider is now developing a fix for its older, vulnerable devices, Mr. Kling said.
Schneider learned of the incident Aug. 4, when a customer in the petrochemical industry called to report one of the company's systems had "tripped," prompting a plant shutdown, Mr. Kling said.
The shutdown, which caused Schneider and others to investigate, turned out to be a lucky break. It was prompted by a bug in the Triton code, Mr Kling said. "The attackers messed up, which caused the system to fail," he said.
The motivation behind the attack isn't clear, but it could have been used for a range of activities, from stealing intellectual property to something much worse, Mr. Kling said. "You can let your mind run as far as a Hollywood scriptwriter would run," he said.
The software is extremely difficult to detect, said Mr. Lee. Plant owners who learn they have been hacked won't necessarily know whether their safety-instrument system code was altered without taking apart the system, he said.
Some details of the attack remain unclear. Mr. Kling declined to say, for example, how the attackers were able to access the petrochemical company's engineering station.
The attack was likely planned more than a year earlier, said Marina Krotofil, an analyst with FireEye. The company's analysis shows the malicious code found on the Schneider device was first developed in June 2016, and the research required to write it would have begun months before that, she said.
Triton's authors were a "sophisticated group," said Mr. Lee.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
Hackers who attacked a petrochemical plant in Saudi Arabia last year gained control over a safety shut-off system that is critical in defending against catastrophic events, according to security researchers shedding light on what they describe as a new type of cyberattack.
Security firms first disclosed the attack last month, but now the company that makes the emergency shut-off system, Schneider Electric SE, has analyzed code used in the attack and determined its purpose.
The malicious software, dubbed Triton, was able to manipulate Schneider devices' memory and run unauthorized programs on the system by leveraging a previously unknown bug, said Andrew Kling, a director of process automation cybersecurity with Schneider Electric.
"It gives the attacker the ability to control what a safety system will do in the event of an emergency," Mr. Kling said. The company would not say how long the plant was compromised.
The 2017 attack represents a new phase in the increasingly worrisome attacks on control-system computers used to manage factory floors, chemical plants and utilities. The best-known such attack, called Stuxnet, discovered in July 2010, manipulated the industrial-control systems that run nuclear centrifuges, and programmed the machines to destroy themselves.
Stuxnet was a joint effort by the U.S. and Israeli government designed to disrupt Iran's nuclear program. The Triton code's objective isn't clear, but it appeared to be a work in progress, according to the security firms that analyzed it.
The Triton code targets safety-instrumented systems, a different type of machine from the industrial controllers targeted by Stuxnet. These systems act as one of the last lines of defense when plant floors face dangerous situations that could lead to explosions or spills.
"This is really the first breach of that safety protection layer," said Marty Edwards, managing director with Automation Federation, a trade group for industrial-systems professionals. "If the basic control system gets hacked, the safety system is supposed to protect you."
Once attackers have perfected a Triton-type attack, the "logical next step" would be to combine it with a Stuxnet-type attack in order to disrupt a plant and its safety back-up systems, said Rob Lee, chief executive of the cybersecurity firm Dragos Inc.
The Triton attackers were able to reprogram a 16-year-old version of a Schneider product, known as a Tricon TMR, after gaining access to an engineering workstation, according to the cybersecurity firm FireEye Inc., which was hired to investigate the hack.
From the workstation, the Schneider devices can be reprogrammed when a switch on the front of the device is set to "program," Mr. Kling said. Schneider advises customers not to leave the switch set to "program."
Schneider and FireEye declined to name the victim of the attack. The attack occurred in Saudi Arabia, according to Mr. Lee.
Representatives from the Saudi Arabian consulate in the U.S. didn't immediately respond to a request for comment.
Although the Triton code wouldn't work on newer versions of the Tricon devices, there are thousands of older devices being used, Mr. Kling said. Schneider is now developing a fix for its older, vulnerable devices, Mr. Kling said.
Schneider learned of the incident Aug. 4, when a customer in the petrochemical industry called to report one of the company's systems had "tripped," prompting a plant shutdown, Mr. Kling said.
The shutdown, which caused Schneider and others to investigate, turned out to be a lucky break. It was prompted by a bug in the Triton code, Mr Kling said. "The attackers messed up, which caused the system to fail," he said.
The motivation behind the attack isn't clear, but it could have been used for a range of activities, from stealing intellectual property to something much worse, Mr. Kling said. "You can let your mind run as far as Hollywood scriptwriter would run," he said.
The software is extremely difficult to detect, said Mr. Lee. Plant owners who learn they have been hacked won't necessarily know whether their safety-instrument system code was altered without taking apart the system, he said.
Some details of the attack remain unclear. Mr. Kling declined to say, for example, how the attackers were able to access the petrochemical company's engineering station.
The attack was likely planned more than a year earlier, said Marina Krotofil, an analyst with FireEye. The company's analysis shows the malicious code found on the Schneider device was first developed in June 2016, and the research required to write it would have begun months before that, she said.
Triton's authors were a "sophisticated group," said Mr. Lee.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
January 18, 2018 14:55 ET (19:55 GMT)