A new form of malware has been designed to disrupt industrial safety systems such as those found in oil and gas facilities, manufacturing plants, and even nuclear plants.
The malware, known as Triton, was discovered by security firm FireEye. FireEye was able to “assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations.” The attack framework has been built to interact and interfere with certain safety controllers, and the firm believes “the activity is consistent with a nation state preparing for an attack.”
Triton has also been monitored for the past month by another security firm, Dragos Inc., Wired reports. The malware was spotted operating in the Middle East, though it’s unclear who is behind it.
Wired notes that Triton is “just the third-ever known malware specimen focused on damaging or disrupting physical equipment.” And while the first use of the malware may have only been a test — at least, that’s how it appears — there are possible grave consequences that could result from a malicious attack using the malware.
FireEye detailed three possible attack options for which malicious actors could use Triton, including shutting down a system process that’s already in a safe state, essentially creating a false positive. This could cause considerable downtime and would likely create need for a startup procedure that may be costly and complex.
The other possible attack methods are even scarier: one would involve keeping a system in an unsafe state, which would increase the risk for any number of hazardous situations at a manufacturing or power plant. The third method would allow attackers to create an unsafe state and prevent proper functionality of a system.
Dragos Inc. founder Rob Lee told Wired that he doesn’t expect this particular method of attack to show up in North America or Europe, “but the adversary has created a blueprint to go after safety systems.” And that’s a major concern.