First Malware to Attack Industrial Control Safety Systems

发布时间:2018-03-16 00:00
作者:Ameya360
来源:Ann R. Thryft
阅读量:1154

  Less than two months after October's U.S. Department of Homeland Security/FBI joint technical alert confirmed cyberattacks against industrial control systems, a new type of malware targeting industrial processes struck an unnamed critical infrastructure facility. The TRITON/TRISIS/HatMan malware is the first designed to attack an industrial plant's safety systems. Since the attack, security firms and the safety system supplier have provided detailed analyses of the attack and the malware.

  A team from FireEye's Mandiant cybersecurity service wrote in a December blog that it responded to the attack when the new malware took remote control of a workstation running a Schneider Electric Triconex Safety Instrumented System (SIS). The SIS, used in oil and gas plants and nuclear facilities, monitors critical industrial processes and automatically shuts them down if they exceed safety limits. The new malware, which FireEye dubbed TRITON, then tried to reprogram the SIS controllers. Some controllers entered a failsafe mode, shutting down the industrial process and prompting the facility's owner to investigate and identify the attack.

  The FireEye blog said TRITON's ability to prevent safety systems from operating as intended, which could then result in physical consequences, is consistent with attacks made by two previous types of malware — Stuxnet and Industroyer/Crash Override — that can disrupt the ICS of manufacturers and infrastructure systems like energy and water utilities. Although FireEye did not identify the attacker, the victim, or their locations, it did say the attack was characteristic of a nation state, not of cyber-criminal hackers, in its "targeting of critical infrastructure to disrupt, degrade, or destroy systems" without a clear monetary goal.

  In this case, attackers needed enough specialized engineering expertise to understand the particular process being controlled by the SIS at a victim's site and how to manipulate it, as well as the specific SIS controllers used there. When TRITON modified application memory on the SIS controllers, this may have led to the failed validation check of application code between redundant processing units that triggered the controllers to begin a safe shutdown. The malware used Schneider Electric's proprietary TriStation protocol to interact with the SIS controllers. Since that protocol isn't publicly documented, the FireEye blog said this suggests the attackers had reverse-engineered it.

  According to cybersecurity firm Dragos, the attack was made on a company in the Middle East. The new malware, which Dragos calls TRISIS, is "the fifth ever ICS-tailored malware and the first to directly target SIS," making it a highly significant event, wrote CEO Robert M. Lee in a blog. "It is a very bold attack while not technically complicated." Against best security practices, the Triconex SIS controller's keyswitch was set in program mode, not run mode, which would have prevented program changes.

  A more detailed Dragos report on TRISIS and how it works states that Triconex SIS are not inherently vulnerable, and were chosen because that's what the victim was using. Although the SIS' security was compromised, the safety of the ICS was not, because the SIS controllers performed a safe shutdown. But the report said TRISIS is game-changing because "targeting SIS equipment represents a dangerous evolution within ICS computer network attacks. Potential impacts include equipment damage, system downtime, and potentially loss of life."

  A few days after the attack, the DHS issued a malware analysis report, calling the malware HatMan.

  At the January S4x18 security conference, Schneider Electricpresented details of its own investigation into the attack and its analysis of TRITON. These included the discovery of a remote access Trojan (RAT) in the malware that's the first to infect SIS equipment, as well as a zero-day vulnerability in the SIS firmware that the malware took advantage of to inject the RAT into the controller's memory. The intent of the malware was to install this RAT, which gave the attackers read-write-execute permissions over the SIS, said Andrew Kling, director of cybersecurity and architecture for Schneider Electric, in the presentation.

  The threat intelligence team of cybersecurity firm CyberX has performed its own independent reverse-engineering of the TRITON malware, wrote Phil Neray, vice president of industrial cybersecurity, in an email. "We believe the goal of the back door was to enable persistent access to the controller, even when the controller's memory-protection key switch is in RUN mode," he wrote. "We believe the purpose of the attack was to disable the safety system in order to lay the groundwork for a second cyberattack that would cause catastrophic damage to the facility itself, potentially causing large-scale environmental damage and loss of human life."

(备注:文章来源于网络,信息仅供参考,不代表本网站观点,如有侵权请联系删除!)

在线留言询价

相关阅读
Trump in Reversal Says U.S. to Help China's ZTE Stay Afloat
President Donald Trump ordered the U.S. Commerce Department to get ZTE Corp. back into business, weeks after cutting off the massive Chinese telecom equipment maker from its U.S. suppliers with a condemnation of ZTE’s “egregious” behavior.Trump said in a Sunday morning tweet, posted minutes after arriving at his golf course in Virginia, that he and Chinese leader Xi Jinping are working together to give ZTE “a way to get back into business, fast.”In a major reversal for a president who has accused China many times of stealing U.S. jobs, Trump said the “Commerce Department has been instructed to get it done!” because “too many jobs in China lost.” The tweet comes as China plans to send Vice Premier Liu He to Washington this week to discuss trade tensions.The U.S. blockade has choked off the revenue of the No. 2 Chinese telecom gear maker, which employs about 75,000 people. The firm said last week it’s suspended all major operations, and its shares stopped trading in Hong Kong last month.With ZTE facing possible ruin, Chinese officials have stepped in. The U.S. delegation that held talks with China this month was expected to be told that reversing the Commerce Department’s action was a condition for discussions to continue, said administration officials who asked not to be identified discussing private deliberations.ZTE suppliers rallied after the Trump tweet. Mobi Development Co. jumped as much as 18 percent in Hong Kong, while Nextronics Engineering Corp.rose as much as 8.5 percent in Taiwan and Zhong Fu Tong Co. surged the daily limit of 10 percent in mainland trading.More TalksThis week’s Washington trip by China’s vice premier comes after the U.S. delegation to Beijing, led by Treasury Secretary Steven Mnuchin, didn’t produce a deal following Trump’s threats to impose tariffs on $150 billion of Chinese imports with promised Chinese retaliation.While Trump said in his tweet he’d “instructed” the Commerce Department to “get it done,” the White House said the president expects Secretary Wilbur Ross to “exercise his independent judgment, consistent with applicable laws and regulations, to resolve the regulatory action involving ZTE based on its facts.” Specific questions were referred to the Commerce Department, and a spokesman could not be immediately reached Sunday. The State Department referred comments to the White House and Commerce.ZTE has been trying to resolve the blockade that Trump’s Commerce Department imposed in April as punishment for violating the terms of a 2017 sanctions settlement related to trading with Iran and North Korea, then lying about it. That seven-year ban prohibited ZTE from buying American technology it needs to build most of its products, includingQualcomm Inc.’s semiconductors and optical chips from Lumentum Holdings Inc.Illegal ConductIn a sharply-worded statement on April 16, Ross said ZTE made false statements to the U.S. government and “covered up the fact” that the company paid full bonuses to employees that had engaged in illegal conduct.“ZTE misled the Department of Commerce,” Ross said. “Instead of reprimanding ZTE staff and senior management, ZTE rewarded them. This egregious behavior cannot be ignored.”U.S. military exchanges also have stopped selling smartphones made by ZTE and Huawei Technologies Co., China’s largest mobile and telecommunications company, after the Pentagon warned that the devices pose a security risk to military personnel and operations, the Defense Department said earlier this month.Representative Adam Schiff of California, the top Democrat on the House Intelligence Committee, said in a tweet that U.S. intelligence agencies have warned that ZTE technology and phones “pose a major cyber security threat.” He told Trump “you should care more about our national security than Chinese jobs.”‘Be Cool’The president’s most recent call with Xi was on May 8. A White House readout at the time said the president “affirmed his commitment to ensuring that the trade and investment relationship between the United States and China is balanced and benefits American businesses.”In another tweet on Sunday, Trump said the U.S. and China “are working well together on trade” but past negotiations “have been so one sided in favor of China, for so many years, that it is hard for them to make a deal that benefits both countries.”“But be cool, it will work out!” Trump said.Trump’s apparent directive to the Commerce Department was stunning, said a former Commerce official who worked on the ZTE case during the Obama administration.Exacerbating Tensions“That’s never happened before, because the rules are not designed this way. I don’t know how to even think through this,” said Kevin Wolf, a partner at Akin Gump Strauss Hauer & Feld LLP in Washington who helped oversee export controls as an assistant secretary at the Bureau of Industry and Security.ZTE’s precarious position is exacerbating tensions between the world’s two biggest economies, now involved in sensitive negotiations to try and forestall a trade war. Trump is also weeks away from a high-stakes summit with North Korean leader Kim Jong Un, where having China on his side would be beneficial.The company also has been working on new, faster fifth-generation wireless technology, along with local rival Huawei. That’s a key technology battle between the U.S. and China -- and one that China has a chance to win.Networking GearThe U.S.’s only major telecom-equipment maker, Lucent Technologies, was acquired by France’s Alcatel SA in 2006, with the combined company later absorbed into Finland’s Nokia Oyj. Nokia and Ericsson AB have floundered as their Chinese rivals churned out capable and relatively cheap gear for wireless networking customers such as China Mobile Ltd. and Telefonica SA.But ZTE still relies on U.S. companies to supply it with components for its networking gear. Qualcomm and Micron Technology Inc. provided chips. Lumentum Holdings and Acacia Communications Inc. sold key optical equipment. ZTE’s smartphones used Google’s Android operating system. The moratorium disrupted these relationships, putting the Chinese company on life support.Even though Trump is reversing course, the blockade will make Chinese companies more reluctant to rely on U.S. firms on grounds that “the U.S. is an unreliable supplier,” said Andrew Bartels, an analyst at Forrester Research.The move by Trump, who’s bragged about the relationship he has forged with Xi, also has larger implications for Trump’s threats to impose sanctions and tariffs, Bartels said in a telephone interview.“People might say the only thing you have to do to counter those is have a relationship with Trump,” he said.Patrick Moorhead, founder of Moor Insights & Strategy, a technology research firm that works with ZTE suppliers including Qualcomm, said he thinks it’s the right move to give a company another chance, because no one wants to see it die or go bankrupt.“I think we can be sure that Trump is going to get something out of this,” Moorhead said. “It’s all part of the big picture, which is to get a fair shake for U.S. companies.”
2018-05-14 00:00 阅读量:991
Taiwan Has 'Big-Data-Free' Social Platform
  Facebook CEO Mark Zuckerberg’s appearance at Congressional hearings in Washington last week has surfaced long-overdue questions about the ownership and privacy of data. This scrutiny now impinges on social media networks and messaging apps such as WhatsApp, owned by Facebook.  The questions that linger are: Who owns the data, where is it stored, who gets to read it, and how is the system set up — or not set up — to protect user privacy?  Reuters reported on Monday (April 16) that the French government is building its own encrypted messenger service to ease fears that foreign entities could spy on private conversations between top officials, according to the digital ministry.  The problems facing France are two-fold. None of the world’s leading encrypted message apps are either owned by France or based in France. This raises concerns over the risk of data breaches at servers outside of the country.  Meet ITRI’s spinoff  Curiously, what France needs might have been already invented in Taiwan. LoFTech, a spinoff of Industrial Technology Research Institute (ITRI), non-profit technology R&D group in Taiwan, has developed a real-time messaging platform, called Juiker, designed with national security in mind.  Paul Huang, founder and CEO of LoFTech, told us, “We designed our platform as a B2B risk-management tool that allows data to be stored on the Federated Cloud.” Huang explained that each government, or financial institution, for example, is strongly motivated to protect its data and communications by its own rules.  Governments and institutions can use Juiker to store their data privately at any location that they prefer. Huang called it the “Enterprise Cloud Layer” of the Federated Cloud. “Our customers love the convenience of choosing their location and [the ability of] changing [it] as needed,” he explained.  If LoFTech’s customers are small and medium enterprises, they can choose to use the public cloud. If so, data will reside at the “National Cloud Layer” of the Federated Cloud, he said.  Counter-intuitive idea  Most social-app business models are advertising-based, collecting no fees from users. “This means having access to your content is critical to their success; they need to exercise Big Data on their users to better understand and know their users better,” noted Huang. “Their business model is based on selling user content and profile.”  By contrast, LoFTech collects fees from users directly. The company charges customers by the number of seats per company or institution. That means, said Huang, “We do not want their data or will not exercise Big Data analysis on these contents.”  But in the era of Big Data, how did LoFtech stir up this counterintuitive brainstorm — not wanting users’ data? “The idea came from the Taiwan government,” said Huang. The government asked ITRI for a secure real-time messaging app whose data and traffic could be stored on a database platform that the government can run on its own.  Competitive landscape  Since the Facebook/Cambridge Analytica scandal, many governments and institutions are seeking to increase their vigilance over the privacy and ownership of data.  WeChat, for example, stores its communication data in China. Facebook owns WhatsApp. Telegram, said to be a favorite of French President Emmanuel Macron, is a cloud-based instant messaging service developed by a privately held company founded by a Russian entrepreneur and registered in the U.K. Line, Japan’s most popular instant messaging app, is operated by Line Corp., a Japanese subsidiary of the South Korean internet search giant Naver Corp.  There are also other U.S.-based instant messaging platforms popular among enterprises including Slack, Symphony, and Microsoft Teams, but all three “still keep their data on their platform,” according to Huang.  LoFTech’s Juiker project started at ITRI in 2013 as a B2B app development based on at least one government request. Huang suspects that other national governments have similar desires. He also senses growing demand from enterprises and financial institutions who have strict business practices requiring them to secure and record each communication as evidence for future use.  How does it work?  So, technically speaking, how does LoFTech’s technology work?  “It is like creating a global network of real-time IM routers between different storage locations on the application layer,” noted Huang. “We are the first to do so and I don’t see another competitor yet.”  LoFTech spent more than two years developing Juiker and working out the issues and bugs. “We had the time advantage in developing the ‘Federated Cloud’ because our first customer was the Taiwanese government, whose privacy concern is exactly like that of the French government described in the Reuters’ story,” observed Huang. Under LoFTech’s Juiker, “all voice and messages are transmitted, encrypted, and securely sent using Transport Layer Security [TLS].”  Significantly, said Huang, Juiker isn’t using a closed, private cloud alone that denies communication with users outside the private cloud. By developing a federated cloud service, “we can provide the privacy and safety of a private cloud for internal communication, and yet it can be used to safely and conveniently communicate with people outside the private cloud.”  Think about it, said Huang. Nobody would use an office desk phone (extension) that can’t call people outside the company and must be exclusive to an internal network. All office phones must allow “Dial 0” to reach external networks, to call anyone with a phone number. “This is so important. And yet, this ‘Dial 0’ function is disabled in all private social apps,” stressed Huan.  A secure solution must also be convenient, he added, so that something like Juiker can become the default social app for business.  Juiker for France?  If France wants secure instant-messaging apps, what about Juiker? Can France stack its proprietary encryption system on top of Juiker?  “Of course, we would partner with local telecom operators to manage and provide our services,” said Huang. “More than 70% of the world’s operators are government-owned or influenced, so it is actually safer for the French government to use Juiker in partnership with, for example, France Telecom. In most cases, private enterprises such as France Telecom can hire and retain better IT security experts than the government, and the government will trust France Telecom greater than any foreign company. In this case, the Juiker system and data will be stored and managed by France Telecom and the service will be provided after safety is determined by France Telecom.”  Huang also said, “Developing an instant-messaging app takes a lot of product design and engineering efforts because not only does it need to be safe and secure but it [needs to] be convenient, capable of adding more features, and have network effect (lots of users).” In essence, it must be future-proof, enabling the software to grow with time and the changing needs of a company or institution, he added. “So, in the long term, going with a commercial company is always the best strategy over proprietary solutions.”  Of course, if France adds a proprietary encryption system, it will return to a pure private cloud “unless a gateway is provided for the translation between the cloud,” observed Huang. “Typically, a proprietary encryption system makes more sense for the military, which requires a 100% private network.”  Security is not just encryption, he cautioned. “With Juiker, we provide security and privacy by a lot of complimentary services other than encryption and Federated Cloud.”  How widespread is Juiker?  In Taiwan, Juiker software has been downloaded 4.5 million times. Forty large companies — and the Taiwan government — are using it, according to LoFTech.  For the operator market, Juiker developed a full-service Telecom OTT platform, which can be integrated with existing IMS systems. In the B2B market, Juiker allows enterprises to manage their data risk and privacy. For e-commerce, Juiker enables interactive transactions with integrated customer service. For the IoT market, Juiker plans to allow messaging among devices.  Going beyond Taiwan  Vietnam recently became the second nation to embrace LoFTech’s Juiker platform. The Vietnam Posts and Telecommunications Group last month launched its own Over-The-Top messaging app named Karo, based on Juiker.  LoFTech has figured out that building a partnership with a telco is an effective way to spread its software on the federated cloud being that many PTTs struggling to expand beyond voice and internet want new added-value services such as instant messaging.  If an instant-messaging app is layered on top of a telco’s network services, the app’s stickiness will help operators stabilize the subscriber base, explained Huang.  LoFTech was born in 2015 as an ITRI spinoff with its research team — 35 people — intact. “This was the largest spinoff from ITRI in the last decade,” said Huang.  The inception of LoFTech is an example of how Taiwan plays the smallness of the country to its advantage. The research institute can be agile in responding to government needs as its team quickly develops solutions viable in the commercial market.  At a time when the whole world was enamored with the very idea of collecting data and leveraging it for profit, the Taiwan government saw the inherent problems of this trend and sought solutions. That put Taiwan ahead of the game. Huang said, “We got that message loud and clear.”
2018-04-18 00:00 阅读量:1029
More price pressure on Lithium-ion batteries as cobalt prices soar
  Cobalt prices are continuing to rise in 2018, having increased by more than 20% in the first quarter, according to EnergyTrend.  EnergyTrend points to short-term capital speculation and high supplier concentration as the main cause for the rise of raw material costs, and says this ‘concentrated industry structure’ may proceed to push prices in the long-term.  The data reveals that the soaring costs of raw material will be reflected in prices of lithium batteries and new energy vehicles quarter by quarter. With such heavy reliance resting on cobalt, the battery industry will continue its search to find an alternative material.  According to Duff Lu, senior research manager of EnergyTrend, the price of cobalt has been a focus of market. The use of cobalt provides battery makers with the easiest way to increase energy density before the new generation materials become matured.  The price of cobalt metal has hits new highs, Lu adds, from $32/kg in early 2017 to $75/kg at the year end – an annual growth of 114%. In Q1 2018, the price went up by another 26% quarterly, reaching $95/kg. Lu continues that the rising price will bring more challenges to the development of the new energy vehicle industry.  "The change in cobalt metal prices is mainly influenced by short-term speculation in the market", explains Lu. The prices are mainly decided by the supply side rather than based on supply and demand. Many second-tier makers of battery cells and battery anode material have also been hit hard by the fluctuation of raw material prices. Their cost in raw material purchase turned out to be higher than that of the first-tier manufacturers. Battery system makers and branded makers also rely on first-tier manufacturers for cost considerations, resulting in less diversified supply and less healthy competition in the market.  However, EnergyTrend says in the battery cells of IT products, the proportion of cobalt is less than 5%, meaning the prices of cobalt will have limited impact on consumer electronics.  To reduce cost pressure, battery makers are expected to lower the percentage of cobalt in current lithium nickel manganese cobalt oxide (NMC) batteries, EnergyTrend reveals.  Lu says that battery system makers and branded makers will accelerate the development of new generation material and alternatives to reduce the restriction brought by raw materials. Along with developing products with high ratio of nickel, Lu continues, battery makers will also accelerate the mass production of lithium-ion batteries that use silicon oxide as cathode materials.  These two approaches focus on increasing energy density, while another solution based on blended polymer can effectively reduce costs, the report explains. In the blended polymer solution, NMC and lithium cobalt oxide (LCO) are blended in the anode materials of lithium-ion batteries. Although the energy density is lowered by approximately 20%, this, the data reveals, will still be the direction of development for companies, due to the low costs.  Major battery cell suppliers like Samsung SDI, LG Chem, and Lishen have proposed blended polymer solutions in which the portion of NMC is higher than 20%. However, swelling of the cell remains a problem for the application of NMC materials in polymer batteries. Therefore, the industry has not yet accumulated complete research and development experience, EnergyTrend says.  There will be a chance to see a small amount of blended polymer batteries in the market in the second half of 2018, it adds. But, if the cobalt price declines rapidly in the future, it will need further observation to find out whether the development of blended polymer solutions is valuable for the market.
2018-04-16 00:00 阅读量:1057
Cyber centre to be developed in London’s Olympic Park
  London's Olympic Park is to play host to a new world-first ?13.5 million cyber innovation centre, which is hoped will help to secure the UK’s position as a global leader in the growing cyber security sector.  The Cyber Innovation Centre is intended to boost the East London digital cluster and spur the development of cutting-edge technology to tackle online threats. Estimates suggest it could also help create 2,000 jobs in the UK's cyber security industry.  Start-ups chosen to participate in the scheme will work with large firms as they identify cyber security challenges critical to their businesses. It is hoped that this approach will encourage smaller, innovative businesses to create solutions that larger firms will need as well as securing commercial contracts and further investment.  Figures suggest that a tech company was formed every hour in London in 2017 and firms attracted almost ?3 billion in venture capital investment. The centre is intended to act as a catalyst for startups and help the UK increase its slice of the global cyber security industry which is forecast to be worth ?69billion in 2018.  The new centre will be run by Plexal from its Here East headquarters, and is being funded by the Department for Digital, Culture, Media and Sport as part of the Government’s five-year, ?1.9billion investment in UK cybersecurity.  The centre will offer a tailored programme of support to at least 72 companies over three years and is open to firms from across the UK. Start-ups that are not on the programme will be able to access the centre’s support and facilities.  Those chosen for the scheme will benefit from dedicated technical and engineering support from Plexal, state-of-the-art technology facilities and mentoring and professional business advice. They will also have access to an international network of cyber clusters to bring trade and investment opportunities on a global scale.
2018-04-12 00:00 阅读量:1032
  • 一周热料
  • 紧缺物料秒杀
型号 品牌 询价
CDZVT2R20B ROHM Semiconductor
MC33074DR2G onsemi
TL431ACLPR Texas Instruments
RB751G-40T2R ROHM Semiconductor
BD71847AMWV-E2 ROHM Semiconductor
型号 品牌 抢购
IPZ40N04S5L4R8ATMA1 Infineon Technologies
ESR03EZPJ151 ROHM Semiconductor
BU33JA2MNVX-CTL ROHM Semiconductor
TPS63050YFFR Texas Instruments
BP3621 ROHM Semiconductor
STM32F429IGT6 STMicroelectronics
热门标签
ROHM
Aavid
Averlogic
开发板
SUSUMU
NXP
PCB
传感器
半导体
相关百科
关于我们
AMEYA360微信服务号 AMEYA360微信服务号
AMEYA360商城(www.ameya360.com)上线于2011年,现 有超过3500家优质供应商,收录600万种产品型号数据,100 多万种元器件库存可供选购,产品覆盖MCU+存储器+电源芯 片+IGBT+MOS管+运放+射频蓝牙+传感器+电阻电容电感+ 连接器等多个领域,平台主营业务涵盖电子元器件现货销售、 BOM配单及提供产品配套资料等,为广大客户提供一站式购 销服务。