Triton Unwrapped; Indegy Labs Analysis

BANNER - TRITON UNWRAPPED; INDEGY LABS ANALYSIS.png
Any change of the physical state of the controller will be detected by Indegy’s Device Integrity and will trigger an alert with the optional additional alert to the organization’s SIEM system at the SOC.


Indegy, with its unique Device Integrity technology provides an easy way to implement such a procedure by simply turning on the option to detect a key change on industrial controllers as a routine policy.

In December 2017 a sophisticated ICS attack known as “Triton” had been published. This attack manipulated the Triconex Safety Instrumented System (SIS) controllers which supported the safety function of providing an emergency shutdown option in the case of a dangerous condition which posed a threat to human lives. 


The Triton attack enabled the hacker to gain access and change the programming of the SIS controllers. One of the contributing factors that allowed the remote access and reprogramming of the SIS controllers was that the physical key on the controllers was left in the “Program” state, and allowed the remote programming of the controller.  

One of the recommendations that was suggested following Triton was to implement strict change management procedures on the key state/position and to routinely audit the keys state. The implementation and enforcement of such procedures however, can be very difficult and requires substantial resources since some sites use hundreds if not thousands of controllers that may be multi-vendor and multi-model.

Indegy, with its unique Device Integrity technology provides an easy way to implement such a procedure by simply turning on the option to detect a key change on industrial controllers as a routine policy. Any change of the physical state of the controller will be detected by Indegy’s Device Integrity and will trigger an alert with the optional additional alert to the organization’s SIEM system at the SOC.

Triton Unwrapped2
 

Alerts on the Indegy platform indicating that PLC keys state was changed.

Triton Unwrapped3

By implementing basic security practices such as device integrity we can protect our critical infrastructure against very sophisticated attacks.

 

 

Relevant Pages

icon_benefits

Device Integrity

Learn More

icon_benefits

Industrial Cybersecurity Suite

Learn More

icon_benefits

IT Security Managers

Learn More

icon_benefits

OT Engineers

Learn More

icon_benefits

Checklist Guide

Learn More

Comments (0)

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy