martes, 16 de enero de 2018

Cybersecurity for Triconex systems. What steps to follow to be more secure against Triton.

Triton is a new malware that attacks the SIS (Security Instrumented Systems) of the manufacturer Schneider Electric, specifically the Triconex systems.
Triconex systems are implemented in many industrial plants around the world.

The main mission of a Triconex system is to act as an emergency stop system (ESD - Emergency Shutdown System).
The SIS or ESD systems are the upper layer of protection to conventional control systems (PLC, DCS). They monitor the conditions of the process that controls and regulates the industrial control system, and should an anomaly occur in the operation they are responsible for bringing the plant to a “safe state”, carrying out a “controlled” shutdown of the process.
This is guaranteed by the fast speed of execution of the program in the security systems, which is usually less than 100mS, in comparison to the control cycle of a control system that is usually between 500ms and 1s.
The main feature of the Triconex system is its high availability at 99.999% and a complex diagnostic system that monitors the control system from the processors to each input and output card. The basic configuration has three safety processors in parallel. The electronic inputs and outputs have three independent processing electronics, one for each safety processor. The triple outputs are also managed by a vote of two out of three (2oo3) system, generating one output per channel. In addition, the system has double independent power supplies in each chassis.

This malware must be executed on the Triconex engineering station, where the Tristation software, the engineering software for programming the Triconex processors, is installed.
The malware uses the name trilog, which is the name of a legitimate Triconex application. This application is used to record, reproduce and analyze variables of the Triconex system program at high speed (being the best alternative to a DCS when fast data recording is required, for example in applications with compressors).
The malware allows altering the in-memory copy of the 3008 processors firmware, effectively altering the processors configuration. Access to the processor is achieved by means of the use of the Tristation TS protocol, which allows to access the memory map of the Triconex system.
The Tristation TS protocol is a proprietary, publicly undocumented protocol that the Tristation software uses to communicate with the processors. Do not confuse this TS protocol with the TSAA (Triconex System Access Application) protocol. Although they are similar, the TSAA is officially documented, and only allows access and writes to variables in the system, but not to the memory area of the program.
The firmware program resides in the processor’s non-volatile memory and is not altered by the malware, because to make a firmware change it is necessary to stop the system.
There is a physical key in the main chassis of the Triconex, which controls the operating mode of the system. The system will only be vulnerable if the key is in "PROGRAM" position. This mode allows the Tristation programming software to make changes (partial or total) to the logic programmed in the Triconex processor.
Triconex systems often have the key in “PROGRAM” position, since writes are also allowed via modbus in this mode. This is often used for writing bypasses and permissive starting from the control system with which they are connected to.

 The Triton malware deliver a payload into a Tricon system, modifying the system programming. This malware can ONLY act if you have the Tricon keyswitch in “PROGRAM” position.
We have prepared the following check list to secure the right system configuration:
Network Isolation
All Tristation terminals, safety controller and safety network must to be isolated from the rest of plant communication channels.
Ensure that these systems are in a separate network using a unique and isolated VLAN following the IEC-62443, or physically isolate (airgap) the safety control network.
In case that you have a Peer-to-Peer network or Modbus/TCP communication network using Ethernet switches, ensure that the switches are correctly configured following IEC-62443 and firmware/configuration hardening.
Tristation PC
If you have connected your Tristation PC to any other network (always through a Firewall and strict access control) beside the safety network, you must use sanitation measures as minimum, use another VLAN with strong user access control, and an up to date antivirus.
Physical Protection
Physical Access to SIS system must be secured. Unauthorized person should not have physical access to any part of the system (Tristation terminal, controller and field terminals). You must use locked cabinets.
Backup Policy
Ensure that the backups of the application files are being made in a separate medium and that these backups are operational and safely stored.
Check Download Project Integrity
Periodically ensure the integrity of the program loaded in the controller is correct by performing the operation "Compare project to last download" and verify the current and downloaded version of the loaded project.
The Tricon Keyswitch must be in “RUN mode”.
You must remove and securely store the key.
In this position the system is in normal operation with read-only capability. This means that you cannot write any Modbus alias.
Modbus Write in Run Mode
If you need to write Tricon variables in your normal operation (RUN mode), you must implement the GATENB function in your program to authorize remote writes or  configure range of alias.
If your BPCS write to your Triconex system any bypass or setpoint value, you must analyze your communication map previously to configure the GATENB function.
Monitoring Keyswitch
You must configure an alarm in your BPCS system to inform the operator when the keyswitch is in the “PROGRAM” position.
The alias Modbus address is:
Variable: $keysw
Alias: 39649
Description: Main chassis keyswitch position:
0 = Stop
1 = Prog
2 = Run
3 = Remote
Removable Data Exchange
You must scan all removable data Exchange (CDs, USB drives) with an up to date antivirus before connecting it to your Tristation station.
Point Assignment
A tagname setting that determines whether the output and memory point is assigned a Read or Read/Write alias number.
• For output points, all alias numbers are Read/Write.
• For memory points, alias numbers can be Read or Read/Write.
Check that all variables are correctly declared.
Password Required for Connection
You can configure an additional password to connect to the controller, in addition to the username and password that you need to Access to Tristation software.
The default is no additional password.
Disable Stop on Keyswitch
Select the check box to prevent the keyswitch from halting the application if it is turned to Stop. The default is “cleared” (halting by keyswitch permitted).
Disable Remote Changes
to Outputs
Clear the check box to allow remote devices to write to output points. The default is “selected” (remote writes allowed).
Allow Disabling of Points
Select the check box to allow the Tristation PC to disable points while the application is running on the controller. The default is “cleared”.
This property can be changed only when your project is in the Download All state.
Port Write Enabled
(for TCM)
A Tricon TCM setting that determines whether Tristation, TSAA or Modbus have write access to the selected port.
The default is “cleared”, meaning the port is read-only.
Access List
(for TCM and UCM)
An optional Tricon TCM and UCM feature that gives you the ability to control which clients can access TCM and UCM resources, the protocols they can use, and the level of access each client has.
(for ACM and NCM)
A Tricon ACM and NCM module setting that determines whether network devices using DDE, OPC or TSAA communication have write access to output points and read/write aliased memory points.
• For Tricon ACM, the default it Read.
• For Tricon NCM, the default is Read/Write.
• The Tricon TCM, UCM, EICM, HIM, and SMM modules do not have this Property
Prohibit Writes
A Tricon SMM module setting that determines whether Honeywell® devices have write access to output points and read/write aliased memory points.
The default is “cleared”, which means write access is allowed.

Affected Files by TRITON
Check if one of the following files exist on Tristation installation directory:

MD5: 6c39c3f4a08d3d78f2eb973a94bd7718
SHA-256: e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230

MD5: 437f135ba179959a580412e564d3107f
SHA-256: 08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949

MD5: 0544d425c7555dc4e9d76b571f31f500
SHA-256: fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14

MD5: 0face841f7b2953e7c29c064d6886523
SHA-256: bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59

MD5: e98f4f3505f05bf90e17554fbc97bba9

MD5: 288166952f934146be172f6353e9a1f5
SHA-256: 1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42

MD5: 27c69aa39024d21ea109cc9c9d944a04
SHA-256: 758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272

MD5: f6b3a73c8c87506acda430671360ce15
SHA-256: 5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32
MD5: 8b675db417cc8b23f4c43f3de5c83438
SHA-256: c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1

Tricon Controller Keyswitch
This table describes the meaning of the keyswitch positions.

Keyswitch Position
Normal operation with read-only capability.
The Main Processors execute the previously-loaded control program
Does Not Allow to write variables by Modbus masters
Does Not Allow to modify control program using Tristation software
For control program loading and verification.
Allows control of the Tricon controller from Tristation, including Download All and Download Changes.
Allows writes to program variables by Modbus masters.
Stops reading inputs, forces non-retentive digital and analog outputs to 0, and halts the control program.
Retentive outputs return to the value they had before the keyswitch was turned to Stop.
You can use Tristation to prevent the application from halting when the keyswitch is turned to Stop.
Allows writes to control program variables by Tristation, Modbus masters.
Does Not allow to modify control program (Download All and Download Changes)

The differences between RUN and REMOTE positions are:
  • System in RUN mode, read-only Access to control program variables.
  • System in RUN mode and you have also configured the GATENB function, you can restrict write access to the alias that you have configured in GATENB function.
  • System in REMOTE mode, allow writes Access to control program variables.

Leopoldo Ferrer
ICS/SCADA Senior Specialist

External references: