WHAT IS TRITON?
Triton is a new malware that attacks the SIS (Security Instrumented
Systems) of the manufacturer Schneider Electric, specifically the Triconex
systems.
Triconex systems are implemented in many industrial plants around the
world.
WHAT IS A TRICONEX?
The main mission of a Triconex system is to act as an emergency stop
system (ESD - Emergency Shutdown System).
The SIS or ESD systems are the upper layer of protection to
conventional control systems (PLC, DCS). They monitor the conditions of the
process that controls and regulates the industrial control system, and should
an anomaly occur in the operation they are responsible for bringing the plant
to a “safe state”, carrying out a “controlled” shutdown of the process.
This is guaranteed by the fast speed of execution of the program in
the security systems, which is usually less than 100mS, in comparison to the
control cycle of a control system that is usually between 500ms and 1s.
The main feature of the Triconex system is its high availability at
99.999% and a complex diagnostic system that monitors the control system from
the processors to each input and output card. The basic configuration has three
safety processors in parallel. The electronic inputs and outputs have three
independent processing electronics, one for each safety processor. The triple
outputs are also managed by a vote of two out of three (2oo3) system,
generating one output per channel. In addition, the system has double
independent power supplies in each chassis.
HOW TRITON BEHAVES?
This malware must be executed on the Triconex engineering station,
where the Tristation software, the engineering software for programming the Triconex
processors, is installed.
The malware uses the name trilog, which is the name of a legitimate
Triconex application. This application is used to record, reproduce and analyze
variables of the Triconex system program at high speed (being the best
alternative to a DCS when fast data recording is required, for example in
applications with compressors).
The malware allows altering the in-memory copy
of the 3008 processors firmware,
effectively altering the processors configuration. Access to the processor is
achieved by means of the use of the Tristation TS protocol, which allows to access
the memory map of the Triconex system.
The Tristation TS protocol is a proprietary, publicly undocumented
protocol that the Tristation software uses to communicate with the processors. Do
not confuse this TS protocol with the TSAA (Triconex System Access Application) protocol. Although they are similar,
the TSAA is officially documented, and only allows access and writes to
variables in the system, but not to the memory area of the program.
The firmware program resides in the processor’s
non-volatile memory and is not altered by the malware, because to make a
firmware change it is necessary to stop the system.
There is a physical key in the main chassis of the Triconex, which
controls the operating mode of the system. The system will only be vulnerable
if the key is in "PROGRAM" position. This mode allows the Tristation
programming software to make changes (partial or total) to the logic programmed
in the Triconex processor.
Triconex systems often have the key in “PROGRAM” position, since writes
are also allowed via modbus in this mode. This is often used for writing
bypasses and permissive starting from the control system with which they are connected
to.
CHECK LIST TO RIGHT TRICON SYSTEM CONFIGURATION
The Triton malware deliver a payload into a Tricon system, modifying
the system programming. This malware can ONLY act if you have the Tricon
keyswitch in “PROGRAM” position.
We have prepared the following check list to secure the right system
configuration:
CONCEPT
|
ACTION
|
Network Isolation
|
All Tristation terminals,
safety controller and safety network must to be isolated from the rest of
plant communication channels.
Ensure that these systems
are in a separate network using a unique and isolated VLAN following the
IEC-62443, or physically isolate (airgap) the safety control network.
In case that you have a
Peer-to-Peer network or Modbus/TCP communication network using Ethernet
switches, ensure that the switches are correctly configured following
IEC-62443 and firmware/configuration hardening.
|
Tristation PC
|
If you have connected your
Tristation PC to any other network (always through a Firewall and strict
access control) beside the safety network, you must use sanitation measures
as minimum, use another VLAN with strong user access control, and an up to
date antivirus.
|
Physical Protection
|
Physical Access to SIS
system must be secured. Unauthorized person should not have physical access
to any part of the system (Tristation terminal, controller and field
terminals). You must use locked cabinets.
|
Backup Policy
|
Ensure that the backups of
the application files are being made in a separate medium and that these
backups are operational and safely stored.
|
Check Download Project
Integrity
|
Periodically ensure the
integrity of the program loaded in the controller is correct by performing
the operation "Compare project to last download" and verify the
current and downloaded version of the loaded project.
|
KeySwitch
|
The Tricon Keyswitch must be
in “RUN mode”.
You must remove and securely
store the key.
In this position the system
is in normal operation with read-only capability. This means that you cannot
write any Modbus alias.
|
Modbus Write in Run Mode
|
If you need to write Tricon
variables in your normal operation (RUN mode), you must implement the GATENB
function in your program to authorize remote writes or configure range
of alias.
If your BPCS write to your
Triconex system any bypass or setpoint value, you must analyze your
communication map previously to configure the GATENB function.
|
Monitoring Keyswitch
|
You must configure an alarm in
your BPCS system to inform the operator when the keyswitch is in the “PROGRAM”
position.
The alias Modbus address is:
Variable:
$keysw
Alias:
39649
Description:
Main chassis keyswitch position:
Values:
0 =
Stop
1 =
Prog
2 =
Run
3 =
Remote
|
Removable Data Exchange
|
You must scan all removable
data Exchange (CDs, USB drives) with an up to date antivirus before
connecting it to your Tristation station.
|
Point Assignment
|
A tagname setting that
determines whether the output and memory point is assigned a Read or
Read/Write alias number.
• For output points, all
alias numbers are Read/Write.
• For memory points, alias
numbers can be Read or Read/Write.
Check that all variables are
correctly declared.
|
Password Required for
Connection
|
You can configure an
additional password to connect to the controller, in addition to the username
and password that you need to Access to Tristation software.
The default is no additional
password.
|
Disable Stop on Keyswitch
|
Select the check box to
prevent the keyswitch from halting the application if it is turned to Stop.
The default is “cleared” (halting by keyswitch permitted).
|
Disable Remote Changes
to Outputs
|
Clear the check box to allow
remote devices to write to output points. The default is “selected” (remote
writes allowed).
|
Allow Disabling of Points
|
Select the check box to
allow the Tristation PC to disable points while the application is running on
the controller. The default is “cleared”.
This property can be changed
only when your project is in the Download All state.
|
Port Write Enabled
(for TCM)
|
A Tricon TCM setting that
determines whether Tristation, TSAA or Modbus have write access to the
selected port.
The default is “cleared”,
meaning the port is read-only.
|
Access List
(for TCM and UCM)
|
An optional Tricon TCM and
UCM feature that gives you the ability to control which clients can access
TCM and UCM resources, the protocols they can use, and the level of access
each client has.
|
Privilege
(for ACM and NCM)
|
A Tricon ACM and NCM module
setting that determines whether network devices using DDE, OPC or TSAA
communication have write access to output points and read/write aliased
memory points.
• For Tricon ACM, the
default it Read.
• For Tricon NCM, the
default is Read/Write.
• The Tricon TCM, UCM, EICM,
HIM, and SMM modules do not have this Property
|
Prohibit Writes
|
A Tricon SMM module setting
that determines whether Honeywell® devices have write access to output points
and read/write aliased memory points.
The default is “cleared”,
which means write access is allowed.
|
Affected Files by TRITON
Check if one of the following files exist on Tristation installation
directory:
Filename
|
Hash
|
trilog.exe
|
MD5: 6c39c3f4a08d3d78f2eb973a94bd7718
SHA-256:
e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230
|
imain.bin
|
MD5: 437f135ba179959a580412e564d3107f
SHA-256:
08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949
|
inject.bin
|
MD5: 0544d425c7555dc4e9d76b571f31f500
SHA-256:
fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14
|
library.zip
|
MD5: 0face841f7b2953e7c29c064d6886523
SHA-256:
bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59
|
TS_cnames.pyc
|
MD5: e98f4f3505f05bf90e17554fbc97bba9
SHA-256:2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326
|
TsBase.pyc
|
MD5: 288166952f934146be172f6353e9a1f5
SHA-256:
1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42
|
TsHi.pyc
|
MD5: 27c69aa39024d21ea109cc9c9d944a04
SHA-256: 758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272
|
TsLow.pyc
|
MD5: f6b3a73c8c87506acda430671360ce15
SHA-256:
5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32
|
sh.pyc
|
MD5: 8b675db417cc8b23f4c43f3de5c83438
SHA-256: c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1
|
Tricon Controller Keyswitch
This table describes the meaning of the keyswitch positions.
Keyswitch Position
|
Function
|
RUN
|
Normal operation with
read-only capability.
The Main Processors execute the
previously-loaded control program
Does Not Allow to write
variables by Modbus masters
Does Not Allow to modify
control program using Tristation software
|
PROGRAM
|
For control program loading
and verification.
Allows control of the Tricon
controller from Tristation, including Download All and Download Changes.
Allows writes to program
variables by Modbus masters.
|
STOP
|
Stops reading inputs, forces
non-retentive digital and analog outputs to 0, and halts the control program.
Retentive outputs return to
the value they had before the keyswitch was turned to Stop.
You can use Tristation to
prevent the application from halting when the keyswitch is turned to Stop.
|
REMOTE
|
Allows writes to control
program variables by Tristation, Modbus masters.
Does Not allow to modify
control program (Download All and Download Changes)
|
The differences between RUN and REMOTE positions are:
- System in RUN mode, read-only Access to control program variables.
- System in RUN mode and you have also configured the GATENB function, you can restrict write access to the alias that you have configured in GATENB function.
- System in REMOTE mode, allow writes Access to control program variables.
Leopoldo Ferrer
ICS/SCADA Senior Specialist
External references:
No hay comentarios:
Publicar un comentario