New report from FireEye (via Reuters) says that a plan of an unmentioned nature and location was forced to shut down when a hack targeted its industrial safety system. This is the first time a breach of this nature took place. The digital assault to the plant’s safety system is clearly serious, but things could have been much worse had the plant not shut down.
Hackers used a malware called Triton. The malware hijacked a workstation using Schneider Electronic’s Triconex safety technology, which is typically used in power plants. The hackers had hoped to modify controllers that could pinpoint safety issues, but some of the controllers entered a fail safe station in response to this attack and shut down the entire plan. This lead operations to conduct an investigation that caught the malware on their system. Triton itself is fairly sophisticated. The malware would try to recover failed controllers to avoid raising alerts, and it would even go as far as to overwrite its own programs with junk data if it couldn’t salvage a controller inside the timed window it had for takeover.
FireEye noted that the hack wasn’t made possible by a flaw in Triconex itself, but rather it appears to be an “isolated incident.” FireEye said that the hack was “consistent” with a “nation state” readying an attack. This is especially concerning if the hackers learned from their mistake and launch another attack in the future.
Having power plants shut down is bad, but it would have been far worse if the malware could fully circumvent and manipulate the safety system. This would be further damaging to the facility and lead to an even longer shutdown or worse consequences. This leads us to believe that companies and government should prioritize defending critical infrastructure if they want to avoid such attacks taking place.