Logo
  • Importance of Reliable Safety Instrumented Systems in Preventing Accidents in OT Systems.Companies should prioritize the safety of their OT systems by adopting reliable and resilient safety instrumented systems like Schneider Electric's Triconex to prevent accidents caused by cyber threats, changing workforce, and complacency.

    Data breaches can have a major impact on our lives, and we may face unique kinds of hacks that affect our daily routines. Companies must ensure the safety of their OT systems to avoid disasters or accidents. The safety instrumented systems are an essential part of controlling physical aspects like valves and pumps. Saudi Arabia's massive petrochemical plant faced a severe shutdown when its Triconex safety systems failed. The plant produced 140 million barrels of products yearly, and its components go into making everyday-use items. Safety systems like these must be reliable and resilient to avoid accidents. Cyber-criminals, changing workforce, and complacency are some of the factors modifying operational integrity. Schneider Electric's Triconex offers excellent process safety solutions for a sound and cohesive business.

  • Importance of Regular Maintenance and Monitoring of Safety Systems in Industrial PlantsRegular inspection, limiting network access, and following proper protocol can prevent malfunctions and unauthorized changes to safety controllers, ensuring safety measures are functional and preventing potential disasters.

    Proper maintenance and monitoring of safety systems are crucial in preventing disaster in industrial plants. Unauthorized access to safety controllers and leaving them in program mode can cause malfunctions and shut down the plant, resulting in financial losses and safety risks. Regular inspection and action on system alerts are necessary to prevent such incidents. It is also important to limit network access to safety controllers and use secure methods of remote access. Finally, following proper protocol and not neglecting system alerts can prevent unauthorized changes and ensure safety measures are functional.

  • The Importance of Incident Responders in Emergency Shutdown SystemsProper incident response by skilled responders is crucial to preventing catastrophic results. Immediate on-site response is necessary to identify and mitigate security threats, and interview all involved parties to gather valuable information.

    Proper functioning of emergency shutdown systems is crucial for preventing catastrophic results. Incident responders play an important role in investigating and identifying potential security threats and taking appropriate actions. Immediate on-site response is necessary to conduct incident response and forensics to mitigate the impact of security incidents. Incident responders are always ready to travel on short notice with go-bags to conduct investigations. It is important to have a skilled team of responders to handle incidents like these and to gather information by interviewing everyone involved.

  • Investigating a Plant Shutdown and Identifying the CulpritAnalyzing controllers and investigating inside/outside parties with special attention to unusual files is crucial when investigating plant shutdowns, even in hazardous environments.

    Investigating the cause of a plant shutdown requires analyzing the actual controllers and identifying any changes made. Safety controllers are embedded systems with limited functionality, making it difficult to extract programs or perform diagnostics. Integrity verification commands can be used to compare what's on the controller to what's on the system. A discrepancy in IO points was identified as the cause of the shutdown. The investigation also involved looking into whether the shutdown was caused by an insider or an outside party, and analyzing engineering workstations for potential clues. The presence of unusual files in the system, such as a Python DLL in an HP folder, indicated that something was amiss. The investigation was challenging and carried inherent risks due to working in a noisy, hot, chemically hazardous environment.

  • Importance of a Strong Incident Response Plan in Plant CybersecurityHaving a strong incident response plan and taking necessary actions to safeguard the plant and its employees from potential dangers is essential in ensuring plant cybersecurity. The use of network equipment with good logging can help in collecting valuable insights during the response process.

    The safety controller in the sulfur recovery unit, responsible for shutting down plant operations in case of unsafe levels of H2S, had gone down due to the malware attack. Despite the risks, the management was hesitant to shut down the plant and start a thorough investigation. The incident response team finally traced the malware attack to an external party that exploited a computer inside the DMZ. The network equipment with good logging helped the response team collect valuable insights. This incident highlights how essential it is to have a strong incident response plan in place and take necessary actions to safeguard the plant and its employees from potential dangers.

  • Incident Response Team and the Importance of Securing Industrial Control SystemsThe discovery of advanced malware on an engineering workstation in a petrochemical facility highlights the need for securing such workstations from remote attacks and the importance of proactive measures for threat detection and prevention in industrial control systems.

    The incident response team successfully identified the attack on the system and its source, leading to a shift in their goals from initial triage to cleanup and prevention. The discovery of advanced malware on the engineering workstation and the deletion of these files by an unknown party highlights the importance of securing engineering workstations from remote attacks. Furthermore, the wider-scale targeting campaign meant that the security of other petrochemical and oil and gas facilities within the kingdom was also at risk. The investigation led FireEye to analyze the malware, which had the potential to cause serious harm if the target emergency shutdown systems were compromised. Overall, this incident illustrates the importance of securing industrial control systems and the need for a proactive approach to threat detection and prevention.

  • The Triton Malware: A Threat to Industrial PlantsThe Triton malware can cause severe damage to industrial plants by instructing valves to operate unsafely, disabling safety systems, and ignoring emergency shutdowns, posing a significant risk to both safety and finances.

    The Triton malware was a sophisticated program that could unleash catastrophic damage on industrial plants. The attackers had an understanding of the culture and sensitive operations of the plants, and they had a whole new level of expertise in IT and OT systems. The malware could instruct the valves to operate in an unsafe state, instruct safety systems not to shut down or even create an alert, and make the emergency shutdown system ignore unsafe operating levels. The Triton malware was a passive implant that would implant itself into the memory and wait for a certain packet to be activated. The potential damage payload associated with Triton could lead to major safety incidents and financial impacts to the plant.

  • The Dangers of Cyber-Attacks on Safety Systems in Industrial PlantsCyber-attacks on safety systems in industrial plants have severe physical consequences and potential human casualties. International regulations are needed to prevent such attacks, as they are complex, time-consuming, and require high-level expertise.

    A cyber-attack on safety systems in industrial plants can have severe physical consequences and potential human casualties. Targeting civilian-protecting systems is off-limits and not specifically regulated. Such attacks may result in prolonged shutdowns, in turn affecting the economy. These incidents highlight the need for international regulation of such attacks. The attackers behind such malware must have unrestricted access to the systems and a high skill set to hack both IT and OT environments. It takes years to execute such an attack, and it requires knowledge and understanding of the particular safety controllers and software. Such attacks are cyber-terrorism, and the people responsible have unlimited resources and time.

  • TRISIS malware targets industrial safety systems, posing a threat to human life.The discovery of TRISIS highlights the importance of industrial security, a separate discipline from IT security, with tailored best practices to protect against targeted threats to industrial control systems.

    The TRISIS malware, also known as Triton, was discovered by the threat intelligence group within Dragos, which investigates security threats related to industrial control systems. The malware specifically targets safety systems and has the potential to compromise human life. The discovery of this malware prompted Dragos CEO Robert Lee to inform the Department of Homeland Security, as it indicated that hackers somewhere in the world had broken into a chemical plant in Saudi Arabia and had the capability to cause a major terrorist attack. The incident underscores the importance of industrial security as a separate and distinct discipline from IT security, and the need to develop specific best practices tailored to the unique mission and threats of industrial control systems.

  • Moscow's Central Scientific Research Institute of Chemistry and Mechanics Suspected in CyberattackResearch institutions with departments related to advanced informatics and critical infrastructure security can build cyber capabilities and cybersecurity is a community effort where sharing threat information is key.

    Cybersecurity is a community effort, where companies often work together to benefit the community against adversaries. FireEye suspected that Moscow's Central Scientific Research Institute of Chemistry and Mechanics was behind the attack. Although it sounds illogical that a laboratory can build something with cyber capabilities, it isn't unusual. Such research institutions have departments related to advanced informatics and critical infrastructure security. There is evidence that some operations related to intrusions by the Triton team in known organizations were conducted from an IP address in Moscow. Cybersecurity companies like to publish threat information only when it is already going to be made public, enabling their customers and the community to stay informed.

  • State-Backed Attack on Industrial Networks: The Triton AttackThe Triton Attack, carried out by a state actor, highlights the need for advanced attack infrastructure and track-covering measures to prevent future attacks on key industrial networks and safety systems.

    The Triton attack was likely carried out by a state actor as the complexity and sophistication points to a group with advanced attack infrastructure and motivation beyond financial gain. The attackers may have worked in collaboration with a research institute, possibly with Russian intelligence agencies. The attackers continued to refine and customize their attack over the years and targeted key industrial networks and safety systems. While the attackers did not hide their tracks well, attribution remains challenging. The attack can serve as a reminder for the need for proper attack infrastructure and track-covering measures to mitigate such incidents in the future.

  • Attribution in Cyber-Attacks is More Complex Than You ThinkAttribution in cyber-attacks requires multiple factors and high confidence levels, which can be challenging in the private sector. Geo-political considerations like intelligence agencies, allies, and vendors must be taken into account.

    Attribution in cyber-attacks is significantly more difficult than people make it out to be. A high-confidence level of attribution requires many components working together. Private sector high-confidence assessments would have been low or moderate-confidence assessments in the government. Further, national critical infrastructure and cyber-attacks have a tense situation between state players, so it is necessary to be cautious when pinpointing a country. Most intelligence requirements in the private sector relate to how to do better security and prioritize things. None of those things require true attribution of the attacker. Lastly, the discussion around attribution is more nuanced at a geopolitical level than what is generally seen from a cyber-security audience. It requires considering different intelligence agencies, military agencies, allies, and vendors of capabilities.

  • Clustering Intrusions for Effective Defense Recommendations.Analyzing clustered intrusions is a powerful technique to deter threat actors and provide better defense recommendations. The latest threat activity, Xenotime, poses a serious risk by targeting human life and disrupting oil and gas infrastructure, making it imperative to use effective defense strategies.

    Clustering on intrusions to form a group and analyzing them is an effective tool to trap an adversary and make defense recommendations. Xenotime is the only publicly known threat that has shown both the intent and capability to target human life, making them the most dangerous threat activity. Cyber-attacks on oil and gas infrastructure can destabilize a strategic regional or non-regional adversary. This attack could help state adversaries achieve political or economic goals, delay IPOs, and cause public perception issues. Attackers could also use this as training to gain combat experience. All reasonable analysis points to a state actor targeting Saudi Arabia to disrupt a portion of their oil and gas infrastructure.

  • The implications of the cyber-attack on industrial control systemsThe Triconex attack serves as a blueprint for future attacks on industrial control systems, making it crucial for companies to have precautionary measures in place to prevent and detect these types of attacks. Publicizing good work and creating better regulations is key.

    The cyber-attack on the Triconex safety controllers in Saudi Arabia is a serious concern for industrial companies worldwide. The attack reveals a blueprint for achieving future attacks, making it easier for other adversaries to carry out similar attacks. The attack on industrial control systems is not about vulnerabilities or malware, but about the future potential for attackers. Companies must prepare for this style of attack and have detective, prevention, and responsive capabilities in place. Negligence in this area can be detrimental to the safety of the community. The key is to find a balance between publicizing good work happening and keeping sensitive information private. The focus should be on creating better laws and regulations to regulate such operations.

  • Importance of Holding States Accountable for Cyber AttacksGovernments should conduct high-confidence assessment on cyber attacks like Triton, hold states accountable, and take these attacks off the table to prevent disruption of human life and infrastructure.

    Governments should conduct a high-confidence assessment on cyber attacks like Triton, such attacks like Ukraine and NotPetya should be inexcusable. It is important to hold states accountable and take these style of attacks off the table using economic sanctions or others. Although state leaders may not find it important to know, technology clients need to know about the genesis of attacks to make informed decisions. It is embarrassing for nation's leadership not to understand technology in depth. Cyber attacks on operational technology are becoming more common, and they are purposeful and blatant attacks against civilians and infrastructure. The people who create such attacks may not comprehend the consequences of their actions and may even overlook the danger of disrupting human life. It is paramount to take action on cybercrimes.

Was this summary helpful?

Recent Episodes

71: Information Monopoly

71: Information Monopoly

Darknet Diaries

The hosts recreate one of the greatest hacks in history to inject information into North Korea's totalitarian regime system. Guests Yeonmi Park and Alex Gladstein share their stories about this hack.

August 04, 2020

70: Ghost Exodus

70: Ghost Exodus

Darknet Diaries

Guest storyteller Ghost Exodus describes his experiences as a hacker who documents online activities on YouTube. IT Pro TV is thanked for sponsoring this episode and offering free training with promo code DARKNET25.

July 21, 2020

69: Human Hacker

69: Human Hacker

Darknet Diaries

Security consultant Christopher Hadnagy shares his experiences as a social engineer before the term existed, discussing techniques to manipulate humans with their stories from his long career in penetration testing.

July 07, 2020

67: The Big House

67: The Big House

Darknet Diaries

John Strand is a penetration tester. He’s paid to break into computer networks and buildings to test their security. In this episode we listen to stories he has from doing this type of work. Thanks to John Strand for coming on the show and telling your story. Sponsors Support for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial. Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up. Sources How a Hacker’s Mom Broke Into a Prison—and the Warden’s Computer Video: How not to suck at pen testing John Strand Video: I Had My Mom Break Into Prison Learn more about your ad choices. Visit podcastchoices.com/adchoices

June 09, 2020

Related Episodes

Ep 30: Shamoon

Ep 30: Shamoon

Darknet Diaries

In 2012, Saudi Aramco was hit by a devastating virus that destroyed thousands of computers. Recovering efforts were made possible thanks to Chris Kubecka's guest appearance in an unknown podcast.

January 22, 2019

57: MS08-067

57: MS08-067

Darknet Diaries

Hear what goes on internally when Microsoft discovers a major vulnerability within Windows. Guest Thanks to John Lambert for sharing this story with us. Sponsors Support for this episode comes from ProCircular. Use the team at ProCircular to conduct security assessments, penetration testing, SIEM monitoring, help with patches, or do incident response. Visit www.procircular.com/ to learn more. This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25. Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up. Sources https://blogs.technet.microsoft.com/johnla/2015/09/26/the-inside-story-behind-ms08-067/ https://www.justice.gov/opa/pr/payment-processor-scareware-cybercrime-ring-sentenced-48-months-prison https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 https://www.wired.com/story/nsa-windows-10-vulnerability-disclosure/ Book: Worm Attribution Darknet Diaries is created by Jack Rhysider. Episode artwork by odibagas. Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify. Learn more about your ad choices. Visit podcastchoices.com/adchoices

January 21, 2020

150: mobman 2

150: mobman 2

Darknet Diaries

Re-examining Episode 20 of Darknet Diaries, exploring doubts about Greg aka 'mobman' claiming to create sub7 malware.

October 01, 2024

135: The D.R. Incident

135: The D.R. Incident

Darknet Diaries

Omar Avilez worked on a cyber security incident response team when his country experienced a major ransomware attack; he shares the procedures they went through. Breakmaster Cylinder's new album is out.

July 04, 2023

AI

Ask this episodeAI Anything

Darknet Diaries

Hi! You're chatting with Darknet Diaries AI.

I can answer your questions from this episode and play episode clips relevant to your question.

You can ask a direct question or get started with below questions -

Sign In to save message history