TRITON/TRISIS Response: Defend Important Networks with Unidirectional Gateways

TRITON/TRISIS is the fifth industrial malware found in the wild and the third malware specifically designed to cause damage to physical equipment and jeopardize safety. The malware warrants a stern warning to owners and operators: segment networks properly or face the consequences.

The target of the malware was the Schneider Electric’s Triconex safety instrumented system (SIS). TRITON is essentially a payload, stage 2 of an attack. At this point we don’t know how the malware was installed in the industrial network (stage 1), but this comes as no surprise, since some segments of certain industrial networks are routinely hacked. What is shocking is that both control systems and safety equipment were in the same LAN. Worse, as the Dragos report points out:

“This architecture can be especially dangerous when combined with engineering remote access. A common practice at many sites is to allow access to the process control network to engineers via the Remote Desktop Protocol”

This essentially means that attackers sipping coffee on another continent can target a safety system, the last layer of defense against dangerous physical consequences.

Yes, an improper device configuration of the SIS, set into PROGRAM node, allowed the attack to happen. However, these and other misconfigurations are common. The conversation should really center on the network path indirectly connecting the safety system to the Internet. Yes, safety systems connected to DCS networks, and indirectly to the Internet, are easier to manage, but they are also unacceptably exposed to attack.

How to properly segment critical networks? For important control networks whether they be safety networks, DCS networks or other networks, unidirectional gateways are the best security solution. The recommendation in the FireEye Report is clear:

Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.”

Why unidirectional gateways?

  • Complete isolation of safety equipment makes it impossible to integrate safety system status and sensor data into DCS systems.
  • Using firewalls to connect SIS to DCS networks introduces attack paths: firewalls are software and all software can be hacked, legitimate communications paths through firewalls can be mis-used, and firewalls are easily misconfigured.
  • Unidirectional gateways enable the connectivity benefits of monitoring SIS systems from DCS and other networks, but are physically unable to communicate any attack back into the protected network.

The lesson here is that the creation of dangerous payloads for critical infrastructure is under way. To prevent these payloads from reaching their targets, control networks need to be segmented correctly. Unidirectional gateways enable monitoring of industrial networks, without risk of network attacks.

For more information about Unidirectional Security Gateways click here.


Dr. Jesus Molina
Newsletter Signup