Several cyberattack attempts have been observed on critical infrastructure by exploiting internet-accessible IT and Operational Technology (OT) networks across the U.S. Recently, ICS-CERT issued an advisory about critical bugs in the Schneider Electric Triconex TriStation and Tricon Communication Module (TCM).
Vulnerable OT Systems
The advisory explains how hackers have become more focused on targeting Industrial Control Systems (ICS) using an IT network to connect to the OT side.
- The vulnerabilities in Triconex’s Tricon and TriStation systems could be exploited by an attacker to view clear text data on the network, causing a denial-of-service condition, or allow improper access.
- The bugs are impacting legacy versions of Tricon Communications Module Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems.
- It also affects TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP or Windows7.
These ICS attacks are capable of shutting down complete operations of power plants, factories, oil and gas refineries, and more.
The advisory disclosure mentions the need for organizations to protect against sophisticated living-off-the-land tactics such as modifying SIS system controllers, that were previously used during the TRITON attack in the past.
- The TRITON malware, possibly created by the XENOTIME APT group, was first observed in the wild in March 2017, when it targeted Schneider Electric’s Triconex SIS in the Middle East.
- By May 2018, it expanded industrial cyberattacks on other organizations worldwide.
- After this incident, XENOTIME began to attack electric utility companies in the United States and Asia-Pacific in 2019, and even managed to compromise several ICS vendors, potentially enabling a supply chain attack.
The Bottom Line
Patching and mitigating threats across the civilian and military OT landscape is critically important because of the sensitivity of the environment. Organizations and institutes are advised to perform proper impact analysis and risk assessment before proceeding with the recommended precautionary measures.