NSA Urgently Warns on Industrial Cyberattacks, Triconex Critical Bug

Power plants, factories, oil and gas refineries and more are all in the sights of foreign adversaries, the U.S. warns.

The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert warning that adversaries could be targeting critical infrastructure across the U.S.

Separately, ICS-CERT issued an advisory on a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module. These safety instrumented system (SIS) controllers are responsible for shutting down plant operations in the event of a problem and act as an automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. They’ve been targeted in the past, in the TRITON attack of 2017.

“Over recent months, cyber-actors have demonstrated their continued willingness to conduct malicious cyber-activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets,” said the NSA/CISA joint advisory, released on Thursday. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”

Vulnerable OT Systems

The advisory goes on to point out that OT systems often consist of legacy equipment that was never designed to be connected to the internet nor defend against malicious cyberactivities. At the same time, more and more utilities, petrochemical installations, factories and so on are looking to increase remote operations. This means conducting various activities over the web using an IT network to connect to the OT side, enabling monitoring, instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance.

Generally, adversaries are using spearphishing efforts to obtain initial access to the organization’s IT network, before pivoting to the OT network, the advisory added.

“Combined with readily available information that identifies OT assets connected via the internet (e.g., Shodan, Kamerka), are creating a ‘perfect storm’ of easy access to unsecured assets, use of common, open-source information about devices, and an extensive list of exploits deployable via common exploit frameworks,” the agencies warned.

The NSA/CISA advisory also detailed that in the wild, several cyberattack attempts have been observed. These include attempts to: Deploy of commodity ransomware on both IT and OT networks; communicate with controllers and downloading modified control logic; use vendor engineering software and program downloads; and modify control logic and parameters on programmable logic controllers (PLCs). PLCs are responsible for directly reading and manipulating physical processes in industrial environments.

If successful, these efforts could result in an OT network going down, a partial loss of view for human operators, lost productivity and revenue, or, in the worst-case scenario, adversary control and disruption to physical processes.

“Cyber campaigns are an ideal way for nation-states to apply pressure on the global stage, because they offer the advantage of plausible deniability plus the rules of engagement are undefined,” Phil Neray, vice president of industrial cybersecurity at CyberX, said via email. “This NSA/CISA advisory is particularly interesting because it appears to be tied to ongoing campaigns targeting industrial control systems, and it explicitly mentions the need for organizations to protect against sophisticated living-off-the-land tactics such as modifying the control logic in process controllers, which is exactly what we saw in the TRITON attack.”

Two partial-loss-of-view incidents have been recorded in the U.S. before: One was a ransomware attack on a pipeline in February that knocked it offline for two days; and the other was an attack on a wind-and-solar power plant last November. Loss of view means that the organization loses the ability to monitor the current status of its physical systems.

Neray said in an interview with Threatpost at the time that “if an attacker wanted to shut down parts of the grid, one of their first steps might be precisely this loss-of-view step, because it would leave utility operators ‘blind’ to subsequent disruptive actions the attackers would take, such as switching relays off to halt the flow of electricity.”

Triconex Redux…and a Critical Bug

Corresponding with the NSA/CISA alert is an ICS-CERT advisory about a handful of bugs, one critical and ranking 10 out of 10 on the CvSS vulnerability-severity scale, in Triconex SIS equipment from Schneider.

“Successful exploitation of these vulnerabilities may allow an attacker to view clear text data on the network, cause a denial-of-service condition or allow improper access,” according to the document.

The disclosure is concerning, given the targeting of this Triconex SIS in the past. In 2017, a Middle Eastern oil and gas petrochemical facility was hit with a malware called TRITON (also TRISIS or HatMan), which exceeded other industrial cyberattacks because it directly interacted with and controlled the Triconex SIS. Because the SIS is the last line of automated safety defense for industrial facilities (i.e., protection functions meant to safeguard human lives) shutting it down paves the way for a destructive, physical attack that’s unhampered by failsafe mechanisms. In the case of the TRITON attack, that next stage thankfully never came – the attack was manually thwarted before it could get that far.

The new crop of bugs impact TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP or Windows 7; and Tricon Communications Module (TCM) Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems. Current and more recent versions are not exposed to these specific vulnerabilities – but many ICS installations are still running legacy versions.

The critical bug (CVE-2020-7491) is an improper access control flaw: “A legacy debug port account in TCMs installed in Tricon system Versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access.”

There are also four, less-severe issues. The bug tracked as CVE-2020-7484 (severity rating of 7.5) allows uncontrolled resource consumption, according to ICS-CERT: “A vulnerability related to the password feature in TriStation 1131 Versions 1.0 through 4.12.0 could allow a denial-of-service attack if the user is not following documented guidelines pertaining to dedicated TriStation 1131 connection and key-switch protection.”

Meanwhile, an uncontrolled resource consumption bug (CVE-2020-7486), also with a CvSS score of 7.5, could cause TCMs installed in Tricon system Versions 10.0.0 through 10.4.x to reset when under high network load. This reset could result in a denial of service behavior with the SIS.

Another bug (CVE-2020-7485) is a hidden-functionality issue, severity rating of 5.5: “A vulnerability related to a legacy support account in TriStation 1131 versions 1.0 through 4.9.0 and 4.10.0 could allow inappropriate access to the TriStation 1131 project file.”

And finally, CVE-2020-7483 (severity rating of 5.3) allows cleartext transmission of sensitive information. “A vulnerability related to the “password” feature in TriStation 1131 Versions 1.0 through 4.12.0 could cause certain data to be visible on the network when the feature was enabled,” according to the advisory.

The NSA/CISA alert urges patching and mitigations across the civilian and military OT landscape, and offered steps to take within the advisory.

“OT assets are critical to the Department of Defense (DoD) mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure,” it reads. “At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take…immediate steps to ensure resilience and safety of U.S. systems should a time of crisis emerge in the near term.”

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar.

Suggested articles