Cybersecurity for Triconex systems. What steps to follow to be more secure against Triton.

WHAT IS TRITON?

Triton is a new malware that attacks the SIS (Security Instrumented Systems) of the manufacturer Schneider Electric, specifically the Triconex systems.

Triconex systems are implemented in many industrial plants around the world.

WHAT IS A TRICONEX?

The main mission of a Triconex system is to act as an emergency stop system (ESD - Emergency Shutdown System).

The SIS or ESD systems are the upper layer of protection to conventional control systems (PLC, DCS). They monitor the conditions of the process that controls and regulates the industrial control system, and should an anomaly occur in the operation they are responsible for bringing the plant to a “safe state”, carrying out a “controlled” shutdown of the process.

This is guaranteed by the fast speed of execution of the program in the security systems, which is usually less than 100mS, in comparison to the control cycle of a control system that is usually between 500ms and 1s.

The main feature of the Triconex system is its high availability at 99.999% and a complex diagnostic system that monitors the control system from the processors to each input and output card. The basic configuration has three safety processors in parallel. The electronic inputs and outputs have three independent processing electronics, one for each safety processor. The triple outputs are also managed by a vote of two out of three (2oo3) system, generating one output per channel. In addition, the system has double independent power supplies in each chassis.

HOW TRITON BEHAVES?

This malware must be executed on the Triconex engineering station, where the Tristation software, the engineering software for programming the Triconex processors, is installed.

The malware uses the name trilog, which is the name of a legitimate Triconex application. This application is used to record, reproduce and analyze variables of the Triconex system program at high speed (being the best alternative to a DCS when fast data recording is required, for example in applications with compressors).

The malware allows altering the in-memory copy of the 3008 processors firmware, effectively altering the processors configuration. Access to the processor is achieved by means of the use of the Tristation TS protocol, which allows to access the memory map of the Triconex system.

The Tristation TS protocol is a proprietary, publicly undocumented protocol that the Tristation software uses to communicate with the processors. Do not confuse this TS protocol with the TSAA (Triconex System Access Application) protocol. Although they are similar, the TSAA is officially documented, and only allows access and writes to variables in the system, but not to the memory area of the program.

The firmware program resides in the processor’s non-volatile memory and is not altered by the malware, because to make a firmware change it is necessary to stop the system.

There is a physical key in the main chassis of the Triconex, which controls the operating mode of the system. The system will only be vulnerable if the key is in "PROGRAM" position. This mode allows the Tristation programming software to make changes (partial or total) to the logic programmed in the Triconex processor.

Triconex systems often have the key in “PROGRAM” position, since writes are also allowed via modbus in this mode. This is often used for writing bypasses and permissive starting from the control system with which they are connected to.

CHECK LIST TO RIGHT TRICON SYSTEM CONFIGURATION

 The Triton malware deliver a payload into a Tricon system, modifying the system programming. This malware can ONLY act if you have the Tricon keyswitch in “PROGRAM” position.

We have prepared the following check list to secure the right system configuration:

CONCEPT	ACTION
Network Isolation	All Tristation terminals, safety controller and safety network must to be isolated from the rest of plant communication channels. Ensure that these systems are in a separate network using a unique and isolated VLAN following the IEC-62443, or physically isolate (airgap) the safety control network. In case that you have a Peer-to-Peer network or Modbus/TCP communication network using Ethernet switches, ensure that the switches are correctly configured following IEC-62443 and firmware/configuration hardening.
Tristation PC	If you have connected your Tristation PC to any other network (always through a Firewall and strict access control) beside the safety network, you must use sanitation measures as minimum, use another VLAN with strong user access control, and an up to date antivirus.
Physical Protection	Physical Access to SIS system must be secured. Unauthorized person should not have physical access to any part of the system (Tristation terminal, controller and field terminals). You must use locked cabinets.
Backup Policy	Ensure that the backups of the application files are being made in a separate medium and that these backups are operational and safely stored.
Check Download Project Integrity	Periodically ensure the integrity of the program loaded in the controller is correct by performing the operation "Compare project to last download" and verify the current and downloaded version of the loaded project.
KeySwitch	The Tricon Keyswitch must be in “RUN mode”. You must remove and securely store the key. In this position the system is in normal operation with read-only capability. This means that you cannot write any Modbus alias.
Modbus Write in Run Mode	If you need to write Tricon variables in your normal operation (RUN mode), you must implement the GATENB function in your program to authorize remote writes or  configure range of alias. If your BPCS write to your Triconex system any bypass or setpoint value, you must analyze your communication map previously to configure the GATENB function.
Monitoring Keyswitch	You must configure an alarm in your BPCS system to inform the operator when the keyswitch is in the “PROGRAM” position. The alias Modbus address is: Variable: $keysw Alias: 39649 Description: Main chassis keyswitch position: Values: 0 = Stop 1 = Prog 2 = Run 3 = Remote
Removable Data Exchange	You must scan all removable data Exchange (CDs, USB drives) with an up to date antivirus before connecting it to your Tristation station.
Point Assignment	A tagname setting that determines whether the output and memory point is assigned a Read or Read/Write alias number. • For output points, all alias numbers are Read/Write. • For memory points, alias numbers can be Read or Read/Write. Check that all variables are correctly declared.
Password Required for Connection	You can configure an additional password to connect to the controller, in addition to the username and password that you need to Access to Tristation software. The default is no additional password.
Disable Stop on Keyswitch	Select the check box to prevent the keyswitch from halting the application if it is turned to Stop. The default is “cleared” (halting by keyswitch permitted).
Disable Remote Changes to Outputs	Clear the check box to allow remote devices to write to output points. The default is “selected” (remote writes allowed).
Allow Disabling of Points	Select the check box to allow the Tristation PC to disable points while the application is running on the controller. The default is “cleared”. This property can be changed only when your project is in the Download All state.
Port Write Enabled (for TCM)	A Tricon TCM setting that determines whether Tristation, TSAA or Modbus have write access to the selected port. The default is “cleared”, meaning the port is read-only.
Access List (for TCM and UCM)	An optional Tricon TCM and UCM feature that gives you the ability to control which clients can access TCM and UCM resources, the protocols they can use, and the level of access each client has.
Privilege (for ACM and NCM)	A Tricon ACM and NCM module setting that determines whether network devices using DDE, OPC or TSAA communication have write access to output points and read/write aliased memory points. • For Tricon ACM, the default it Read. • For Tricon NCM, the default is Read/Write. • The Tricon TCM, UCM, EICM, HIM, and SMM modules do not have this Property
Prohibit Writes	A Tricon SMM module setting that determines whether Honeywell® devices have write access to output points and read/write aliased memory points. The default is “cleared”, which means write access is allowed.

Affected Files by TRITON

Check if one of the following files exist on Tristation installation directory:

Filename	Hash
trilog.exe	MD5: 6c39c3f4a08d3d78f2eb973a94bd7718 SHA-256: e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230
imain.bin	MD5: 437f135ba179959a580412e564d3107f SHA-256: 08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949
inject.bin	MD5: 0544d425c7555dc4e9d76b571f31f500 SHA-256: fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14
library.zip	MD5: 0face841f7b2953e7c29c064d6886523 SHA-256: bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59
TS_cnames.pyc	MD5: e98f4f3505f05bf90e17554fbc97bba9 SHA-256:2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326
TsBase.pyc	MD5: 288166952f934146be172f6353e9a1f5 SHA-256: 1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42
TsHi.pyc	MD5: 27c69aa39024d21ea109cc9c9d944a04 SHA-256: 758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272
TsLow.pyc	MD5: f6b3a73c8c87506acda430671360ce15 SHA-256: 5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32
sh.pyc	MD5: 8b675db417cc8b23f4c43f3de5c83438 SHA-256: c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1

Tricon Controller Keyswitch

This table describes the meaning of the keyswitch positions.

Keyswitch Position	Function
RUN	Normal operation with read-only capability. The Main Processors execute the previously-loaded control program Does Not Allow to write variables by Modbus masters Does Not Allow to modify control program using Tristation software
PROGRAM	For control program loading and verification. Allows control of the Tricon controller from Tristation, including Download All and Download Changes. Allows writes to program variables by Modbus masters.
STOP	Stops reading inputs, forces non-retentive digital and analog outputs to 0, and halts the control program. Retentive outputs return to the value they had before the keyswitch was turned to Stop. You can use Tristation to prevent the application from halting when the keyswitch is turned to Stop.
REMOTE	Allows writes to control program variables by Tristation, Modbus masters. Does Not allow to modify control program (Download All and Download Changes)

The differences between RUN and REMOTE positions are:

• System in RUN mode, read-only Access to control program variables.
• System in RUN mode and you have also configured the GATENB function, you can restrict write access to the alias that you have configured in GATENB function.
• System in REMOTE mode, allow writes Access to control program variables.

Leopoldo Ferrer

ICS/SCADA Senior Specialist

External references:

• https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf
• https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
• https://dragos.com/blog/trisis/TRISIS-01.pdf
• https://enredandoconredes.com/2017/12/25/triton-trisis-hatman-un-malware-para-sis/