The most infamous cyber-attacks on industrial systems
Attacks take place on industrial control systems (ICS) to undermine the integrity of processes that may lead to a malicious functional impact, according to a recent paper, “Stuxnet to CRASHOVERRIDE to TRISIS,” written by Joe Slowick of Hanover, MD-based Dragos.
In these attacks, purpose-built software was leveraged as part of multi-stage attacks that not only sought to undermine system integrity so as to disrupt the process, but that were also meant to cause destruction or bring coercion to bear.
To start, in 2010, Stuxnet was a deliberate attack on Iran’s nuclear enrichment activities, performed with complex malware. But rather than simply make centrifuges destroy themselves, Stuxnet caused infected Siemens PLCs to ensure operational degradation, while hiding the cause of the degradation. The malware increased production defect rate even as it decreased centrifuge operational life.
Two distinct variants were evidenced. One made it difficult to detect over-pressure conditions in impacted centrifuges. The other alternated centrifuge rotating speeds between extremes. Eliminating the loss of view through the ICS degraded confidence in the centrifuges, whose erratic operational vectors remained unexplained, according to the Dragos paper.
Crash without burn
CRASHOVERRIDE was a purpose-built, semi-modular malware framework used during a 2016 Ukraine power event. The event targeted electric transmission operations and produced its ICS effects by encoding process manipulation in purpose-built software.
Although not exploited to its full potential, the tools involved could have caused a multi-stage event meant to cause physical destruction via a loss of protection on the impacted systems.
SCADA disablement produced loss of view and control in addition to inhibiting recovery. Moreover, the attackers deployed a denial of service against Siemens SIPROTEC protective relays, unleashing several layers of uncertainty. One motive for this might have been to damage rotating equipment. However, CRASHOVERRIDE failed to work as intended.
TRISIS, also known as Triton, first emerged in 2017 as a safety-focused event at a Saudi Arabia oil & gas refinery. Execution of the exploit was the final step in a long-term, multi-stage intrusion that first had to achieve access and attain information prior to enabling the ICS attack.
TRISIS represents a direct effort to build an in-memory backdoor or rootkit-level functionality to allow an attacker to gain unfettered, undetected control over a Schneider Electric Triconex safety-instrumented system (SIS).
That TRISIS tripped the Triconex devices within the refinery environment, seems, to Dragos, to have been unintended. TRISIS’ true goal was to “enable surreptitious access to the SIS devices while enabling arbitrary modification of SIS functionality after installation,” says Slowik.
This is more complex and, for the hacker at least, more interesting functionality than simply disrupting a safety system. It could allow modifying SIS parameters to reduce response to unsafe conditions. Dragos believes it likely that intruders also had access to the distributed control system environment.
As with CRASHOVERRIDE, TRISIS represents a worrying escalation in attacker capabilities and ambitions, even though in practice those ambitions were never truly realized, says Dragos.
The poor success of these attacks may cause some to question their efficacy and seriousness, but except for one or more elements failing to act as intended, the consequences could have been serious. These failures were mainly due to immature attacker understanding of ICS environments.
Bad actors have subsequently demonstrated sustained commitment to alleviating these shortfalls.