TRISIS, also known as TRITON or HatMan, is a malware variant that targets Schneider Electric Triconex Safety Instrumented System (SIS) controllers. The actors behind the recent attacks using this piece of malware might be different groups sharing the same tool. It has seen a recent increase in usage.
- TRISIS has been deployed against several victims.
- There are around 18 000 Triconex safety systems deployed worldwide.
- Even if using the same systems in numerous industries, each SIS implementation is different. Before the malware can be leveraged to compromise the industrial network in a relevant way, the threat actor needs to understand the environment and the processes involved.
- Given the adjustments needed for each specific attack, this is a really not-scalable targeted attack type.
- This malware only works if the physical keyswitch on the Triconex SIS Controller is on program mode. In Run mode, program changes are not permitted.
- Compromising the security of a SIS does not mean that the safety of the system is compromised. Safety engineering is a highly specific skill and requires the following of rigorous standards to ensure that a process is safe enough.
TRISIS can be considered as a Stage 2 ICS attack capability (see ICS killchain below).
The target of this malware are specific ICS systems, it is clearly focused on industrial networks and does not concern. Traditional IT environments.
In order to compromise an industrial network, you first need to compromise the business IT network that surrounds it and find a way to get in the industrial environment in the first place. If TRISIS is seen it means that an adversary has already achieved success in the compromise of the business network.
The malware in itself consist of a Python script compiled with py2exe, a publicly available compiler. It is done that way to allow TRISIS to execute in an environment without requiring the prior installation of Python (which often would not make sense in industrial environment). The script objective is to change the logic on a target SIS.
- Infection of the Business network (completion of classic Kill-chain).
- Develop – Identify target SIS and then develop replacement logic and loader accordingly.
- Test – Testing that the malware works as intended, probably by testing it on similar devices in similar conditions (not on target network).
- Deliver - Transfer TRISIS to the SIS which contains the ‘loader’ module for the new logic and support binaries that provide the new logic.
- Installation – Basically, the malware disguise himself as a Triconex software for analyzing SIS logs. It then identifies the correct memory location to replace and uploads his own initializing code.
- Execute ICS Attack - TRISIS checks if the previous step succeeded. If it is the case the it uploads the new ladder logic to the SIS.
The TRISIS malware is a type of highly targeted tool that allows a malicious attacker to totally replace the ladder logic on affected devices. This could then allow further compromising of the industrial environment by the malicious attacker.
However, the knowledge required to operate those kinds of highly targeted attacks is not trivial. Each compromising need planning, development and handcrafting code. None of those are trivial and make scaling and spreading this attack to other environments difficult (including ones running Triconex devices).
- In the case of TRISIS, Schneider Electric has provided the following recommendations for Triconex Controllers:
- Safety systems should always be deployed on isolated networks.
- Physical controls should be in place so that no unauthorized person would have access to the safety controllers, peripheral safety equipment, or the safety network. o All controllers should reside in locked cabinets and never be left in the “Program” mode.
- All Tristation terminals (Triconex programming software) should be kept in locked cabinets and should never be connected to any network other than the safety network.
- All methods of mobile data exchange with the isolated safety network such as CDs, USB drives… should be scanned before use in the Tristation terminals or any node connected to this network.
- Laptops that have connected to any other network besides the safety network should never be allowed to connect to the safety network without proper sanitation. Proper sanitation includes checking for changes to the system not simply running anti-virus software against it (in the case of TRISIS no major anti-virus vendor detected it at the time of its use).
- Operator stations should be configured to display an alarm whenever the Tricon key switch is in the “Program Mode.”