Creighton Magid is a partner at the international law firm Dorsey & Whitney. Magid is an expert in product liability and cybersecurity who has worked extensively with the Consumer Product Safety Commission. He says this discovery should put industries and IT professionals on high alert.
TRITON appears to be the latest generation of malware targeting industrial control systems for the purpose of disrupting or destroying an industrial process, rather than for stealing data. (The first two were Stuxnet – used to destroy nuclear enrichment centrifuges in Iran – and Industroyer – which attacked Ukranian power facilities.).
TRITON appears to work by reprogramming the controllers of a Safety Instrumented System (SIS) – a control system that monitors, through sensors and actuators, a physical process. By taking control of the SIS, a bad actor can either shut down an industrial process by tricking the SIS into erroneously thinking something is wrong with the industrial process or can damage or destroy an industrial process by causing the industrial process to operate in an unsafe way without triggering a shutdown or warning.
In the first case, the damage is economic: the facility is shut down unnecessarily, causing less output. In the second case, the results could be catastrophic: the destruction of a plant and, possibly, human casualties.
One of the vulnerabilities exploited by TRITON is the increasingly common practice of integrating SIS and industrial control systems. If the two are segregated, malware such as TRITON is much less threatening.
The emergence of TRITON underscores the need for factories and utilities to evaluate their cyber vulnerabilities and to rethink their control and cyber defense strategies. The laggards are going to face huge financial risks, not only from the event itself but also from liability to shareholders, customers, and others.