In the latest report of a cyber attack, it is being suspected that state actors could be involved in causing disruptions to critical infrastructure.
The very nature of this cyber attack is causing worries to many stakeholders, including the U.S. Department of Homeland Security.
Experts in the field of cybersecurity are calling the cyber attack a watershed incident—it’s carried out by planting malware in a process control mechanism to trigger a shutdown of the process and even cause damage to the equipment.
Summary of What Transpired
From the detailed account of the episode given by security experts at FireEye and confirmed in a security advisory by Schneider (the maker of the process control instrumentation that was hacked), this cyber attack was perpetrated within a critical infrastructure organization and the Triconex Safety Instrumented System (SIS) controllers were accessed illegally when the malicious software was planted.
Now, officially, the exact location where it occurred and the organization’s name are being withheld.
However, it is being mentioned that it was a critical infrastructure facility in Saudi Arabia.
The controller in its normal functioning would have identified any anomaly and sounded an alert and if necessary, shutting down the process.
But, by implanting this malware, which has been given the name “TRITON” by FireEye, the hacker who mounted this cyber attack has artificially created a trigger that led to the disruption in the operations.
The malicious software was only detected when the owner of the system investigated the reason for the disruption systematically.
Not Naming the Culprit
In most such cases of cyber attacks, investigators like Fire Eye would trace the hacker.
But here in this attack on a critical infrastructure, they are not doing so. In fact, they have gone a step beyond and expressed their strong opinion that it could only be a state actor or, in their word, a “nation state” who is behind the cyber attack.
They have attempted to give a detailed technical explanation for this.
Briefly, the very modus operandi employed in the cyber attack—that is, the way no ransom demand was put and the focus on disrupting critical infrastructure—are all seen as an odd combination, not generally seen with cyber crime groups.
FireEye has gone on to name countries like the United States, Russia, North Korea, Iran and Israel as being capable of indulging in such activity based on similar episodes in the past.
Finally, in their assessment, instead of an all-out cyber attack, it appears to be a kind of kite-flying exercise to know if and how the malware does the intended damage, possibly with the intention to strike later.
Warning to Major Units for the Future
As has been stated previously, in these types of large-scale cyber attacks, the most vulnerable critical infrastructure facilities are nuclear power stations, large industrial units and other utilities.
They will have to get the best qualified technical experts to carry out an audit of their process control systems and explore, where possible, if the distribution control systems and the safety systems can be segregated and protected from possible invasion by malware.
Instrumentation specialists like Schneider will also make their own efforts at improving the protocols built into their products and the software overall to prevent any malicious software, like TRITON, from gaining access or entry to their systems.