Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Nation state attackers used the Triton malware to attack an industrial plant safety system, triggering a failsafe response and shutdown.
  • Researchers believe attackers were trying to develop a method of causing physical damage, similar to the Stuxnet attack.

Nation state cyberattackers recently caused the emergency shutdown of an industrial organization when they attempted to reprogram the safety system, FireEye researchers explained in a Thursday blog post.

The malware, dubbed Triton by the researchers, was created specifically to interface with the Triconex Safety Instrumented System (SIS) controllers in use at the organization. The attacks follows a trend of malware created to target industrial control systems (ICS), which grew after the 2010 Stuxnet attack in Iran, the post said.

According to the post, an attacker got access to an actual SIS engineering workstation (which was running Windows) before deploying the Triton malware. The original goal was to use the malicious software to reprogram the safety controllers.

SEE: Information security incident reporting policy (Tech Pro Research)

Triton’s presence was detected by some of the SIS controllers, which then proceeded to enter a failsafe state. This, in turn, prompted the shutdown of industrial processes and triggered an investigation by the owner.

“The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message,” the post said.

While the attacker(s) didn’t achieve their main goal of causing physical damage, they did inadvertently cause the plant to shut down. This is a much better scenario, but still likely resulted in financial losses due to downtime and a complex startup process to get everything going again, the post noted.

While many attackers have money on their mind, the rise of cyberattacks targeted industrial organizations and utilities for physical damage should be cause for concern to those in that space. In October 2017, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint report detailing the high level of risk for such attacks facing those in the energy, nuclear, water, and manufacturing sectors.

Similar attacks have also been perpetrated against a nuclear plant in South Korea in 2014, and in 2016 to cause a massive power outage in the Ukrainian city of Kiev.