As hackers learn the protocols of Industrial Control Systems (ICS), ICS attacks have become specialized to halt factory function or destroy precious assets by spreading and coordinating over a network to take over endpoints. BlackEnergy 3, Industroyer, and TRISIS were benchmark examples of malware, showing what we can expect from rising cyber threats in the coming months.
BlackEnergy first made its debut in 2007. Since then, it has shown up in more and more sophisticated forms, recently even including a suite of convenient and versatile plugins. The latest version, BlackEnergy 3, redefined the world’s view of what a cyber threat could accomplish in December of 2015. Through successful spear-phishing e-mails the BlackEnergy 3 malware was unleashed into power distribution centers in Ukraine, putting 230,000 people in the dark for six hours. This is the cyber attack that first clearly illustrated the potential for critical infrastructure to be shut down. It’s easy to imagine the effects that BlackEnergy 3 and similar attacks could have on hospitals and other infrastructure that directly support human lives.
Critical infrastructure such as smart grids or healthcare are significantly endangered by modern malware which is specifically engineered to communicate with OT technology. Like BlackEnergy 3 in 2015, Industroyer (a.k.a. CrashOverride) struck power systems in Ukraine’s capital, Kiev, in 2016. Industroyer shut down a fifth of Kiev’s power systems for an hour as repair attempts were blocked at every turn by network-wide chains of system failure. When researchers analyzed this malware, they found the malware included IEC 104 commands by which it could control power grid-specific devices. Industroyer was the first piece of malware created with this kind of understanding and protocol specialization, uniquely able to target the power industry and affect smart grids.
The TRISIS malware targeted Triconex’s safety instrumented system (SIS) in 2017 (‘Tri’ from Triconex + SIS = TRISIS). In their report on TRISIS, readable here, Dragos Inc. outlined how TRISIS broke new ground in being the first malware with the potential to remotely compromise the safety of a site. Vulnerabilities that hackers discovered in security procedures allowed access to workstations as well as the safety control network. Through the TRISIS attack, hackers were able to completely halt a key Middle Eastern oil and gas facility. While this attack was so highly specialized and targeted that this incidence isn’t itself a direct threat to other SIS systems, TRISIS instead shows us the sophisticated level of development that hackers are capable of when they have a specific target in mind.
BlackEnergy 3 (2015), Industroyer (2016), and Triton/Trisis (2017) demonstrate the future potential of attacks developed speaking the language of ICS systems. To prevent attacks such as these from affecting your mission critical endpoints, your key defenses are limiting privileges on devices via whitelisting and regular malware scans.
Common to each of these attacks is that they were loaded into the systems sometimes years in advance, where they lay in wait for the command to activate and plunge facilities into chaos. For ICS systems which can accept installed protective software, lockdown software such as Safe Lock, which only allows whitelisted processes to activate, is crucial to cybersecurity. For ICS systems which cannot accept installations of any kind without voiding their warranty or creating other issues, scanning software like Portable Security 3 will discover and remove such threats from their hiding places.