How Triton Malware Targets Industrial Control SystemsDrago's Sergio Caltagirone on 'Safety vs. Security'
Industrial control systems run the technology used in advanced manufacturing, pharmaceuticals, electricity generation, oil and gas, power plants used by hospitals and much more.
See Also: AI's Impact on SOC Maturity
Thankfully, these systems have been relatively immune to online attacks because every ICS environment is unique, meaning that attackers bent on crashing a local power grid or some other environment would need time, money and patience to study the network and determine how to disrupt it, says Caltagirone, director of threat intelligence and analytics at Dragos.
In addition, would-be attackers would have to contend with not only infiltrating operations systems, but also robust security systems designed to ensure that operational systems don't fail or do what they're not supposed to do.
"Unfortunately this fall, we found out that an oil and gas facility was attacked, and there was a live adversary with a piece of malware that is designed to disrupt and disable the safety systems," he says, referring to malware known as both Triton and Trisis (see How Malware Known as Triton Threatens Public Safety).
"We think they were using this piece of malware to manage the safety system, because what we think that they were going to do was then go back to the operations side and maybe over pressurize things - they can overheat things, things like that, and then the safety system wouldn't be able to stop it, and then you could have a catastrophic failure causing loss of life, damage to the environment. ... It would be a truly catastrophic event."
In a video interview at RSA Conference 2018, Caltagirone discusses:
- Industrial and power grid security;
- The "safety versus security" ethos that pervades the industry;
- How industrial control systems often pop up in environments that might not think they have any.
Caltagirone is Drago's director of threat intelligence and analytics. He's also technical director of the Global Emancipation Network, a not-for-profit organization employing data analytics to disrupt human trafficking operations. Previously, he served as director of threat intelligence for Microsoft and was one of the National Security Agency's first dedicated threat intelligence analysts and founding member of the NSA/CSS Threat Operations Center - NTOC - responsible for finding, tracking, and countering sophisticated cyber threats.