Mysterious safety-tampering malware infects a second critical infrastructure site
Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents.
There had been compromises of critical infrastructure sites before. What was unprecedented in this attack—and of considerable concern to some researchers and critical infrastructure operators—was the use of an advanced piece of malware that targeted the unidentified site’s safety processes. Such safety instrumented systems (SIS) are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, a SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents.
By focusing on the site’s SIS, the malware carried the threat of physical destruction that depending on the site and the type of accident had the potential to be serious if not catastrophic. The malware was alternately named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric. It’s development was ultimately linked to a Russian government-backed research institute.