Triton Unwrapped; Indegy Labs Analysis

In December 2017 a sophisticated ICS attack known as “Triton” had been published. This attack manipulated the Triconex Safety Instrumented System (SIS) controllers which supported the safety function of providing an emergency shutdown option in the case of a dangerous condition which posed a threat to human lives. 

The Triton attack enabled the hacker to gain access and change the programming of the SIS controllers. One of the contributing factors that allowed the remote access and reprogramming of the SIS controllers was that the physical key on the controllers was left in the “Program” state, and allowed the remote programming of the controller.  

One of the recommendations that was suggested following Triton was to implement strict change management procedures on the key state/position and to routinely audit the keys state. The implementation and enforcement of such procedures however, can be very difficult and requires substantial resources since some sites use hundreds if not thousands of controllers that may be multi-vendor and multi-model.

Indegy, with its unique Device Integrity technology provides an easy way to implement such a procedure by simply turning on the option to detect a key change on industrial controllers as a routine policy. Any change of the physical state of the controller will be detected by Indegy’s Device Integrity and will trigger an alert with the optional additional alert to the organization’s SIEM system at the SOC.

Triton Unwrapped2

Alerts on the Indegy platform indicating that PLC keys state was changed.

Triton Unwrapped3

By implementing basic security practices such as device integrity we can protect our critical infrastructure against very sophisticated attacks.