Triton and the new wave of IIoT security threats

As IIoT grows in prominence, so too does its status as a target for malicious hackers – particularly given its increased impact on the physical world; the latest and potentially most dangerous is called Triton.

Triton first reared its ugly head near the end of 2017, according to security company Fireeye. It targets an industrial safety system made by Schneider Electric that monitors and secures valves, turbines and the like and shuts them down if it determines they are about to fail and cause explosions or other consequences that could damage the facility or cause harm to people. (It’s named Triton because it targets the widely used Schneider Electric Triconex industrial safety system.)

Patrick Daly, an IoT security analyst at 451 Research, said direct attacks against the Triconex system are frightening.  “It’s the only real instance we’ve seen where it’s designed to disrupt operations but that if attacks are carried out using it, people could get hurt,” said Daly.

Superficially, operational-technolog networks are a relatively hard target to infect with malware because directly attacking the network often requires physical access. Yet the same IT network that bad actors have been practicing against for decades offers them a way in. The same social engineering techniques that have proven effective time after time can provide an attacker with access to the IT network, and, from there, interference with OT can commence.

“The actual path is very similar to what happens in general cybersecurity, but what is very interesting is, again, the impact and the need for creating [industrial control system] security with more of a light glove than what we use to control IT systems,” said IoTium CTO Sri Rajagopal.

The problem, according to Dave Weinstein, vice president of threat research at industrial cybersecurity firm Claroty, is that it’s far from a trivial task to separate the OT and IT networks in a secure way. Flat networks, with no segmentation, are easy targets for malicious hackers, but the process of segmenting the networks logically, while maintaining the required interconnectivity, requires a lot of work, mostly configuring firewalls, switches and other gear to enforce the logical separation of the different network segments.

“Network segmentation projects can last years, especially at the enterprise level and especially with multinational corporations,” he said.

What’s to be done?

The first thing, experts agree, is to recognize that the “security-by-obscurity” approach won’t work anymore, and to inventory what’s on your network. Visibility, all three experts agreed, is everything, and it’s something that many companies aren’t working on hard enough.

READ MORE HERE