Cybersecurity threat detection and response supplier Dragos posted a new blog on Friday that sheds some new light on the attack group know as XENOTIME, which is the same group responsible for the TRISIS/TRITON malware attack on a Triconex process safety system at a still unnamed Middle Eastern petrochemical facility back in 2017.
Why is XENOTIME so Dangerous?
Dragos classifies XENOTIME as the “most dangerous threat activity publicly known.” To summarize the impact of TRISIS and why XENOTIME is so dangerous, process safety systems are the last line of defense in refining, petrochemical, and other plants and processes that have a risk of explosion or release of toxic materials that pose a threat to human life and the environment. If things start to go wrong in a process, the process safety system kicks in and shuts the plant or process down in a safe manner, before things get out of control. The well-known incident at Bhopal, where many thousands of people died, was one of the primary catalysts for the creation of these modern approaches to process safety.
Reprogramming or subverting a process safety system so that it no longer performs this function is the last link in the chain for creating an incident and causing damage and risk to human life in the physical world. As Dragos mentions in its post, “Compromising safety systems provides little value outside of disrupting operations.” Subverting a process safety system is also exceedingly difficult. It should be noted that in the case of the 2017 TRISIS attack, the process safety system shut the process down when it realized that unauthorized activities were taking place in the system while it was in operation.
A Persistent Threat
Nevertheless, Dragos points out that XENOTIME is showing no signs of slowing down its activities. Any end user in the process industries should be concerned with the potential impact of a XENOTIME attack. To date, XENOTIME activity has been limited to the oil and gas industry. In an earlier 2018 blog post, Dragos “identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME, providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks.”
Beyond Middle East Oil and Gas
There are a couple of things about this post that may not jump out right away to the casual reader. The first of these is that Dragos has expanded the industry focus for XENOTIME beyond the oil and gas industry to include the power generation industry. Process safety systems are widely used for critical pressure and level control loops in power generation applications (nuclear and fossil) where multiple sensors are employed, although there was no specific threat to the nuclear industry called out in the blog post. Dragos’ new assessment also shows XENOTIME activity as expanding from the Middle East to include North America, APAC, and Europe.
Multiple Safety Systems
Perhaps the most telling sentence of the blog post is the last one, stating that “Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex.” In the wake of the initial TRISIS attack in 2017, both ARC and Dragos pointed out that the techniques and “tradecraft” that were used to create TRISIS could be easily used to develop attacks on other process safety, and that now seems to be the case according to this report, although no other specific vendors were called out in the post.
What Should I Do Now?
There are many simple steps that can be taken to increase the security of your process safety systems. XENOTIME successfully built a foothold in 2017 by exploiting many gaps and lapses in both operational and cybersecurity that could have easily been addressed by the end user. These include simple things like keeping control cabinets locked, ensuring that key switches are not left in program mode. Safety system engineering workstations should be isolated in locked cabinets and only connected to the safety network. Mobile data exchange methods such as USB sticks should not be allowed on workstations that reside on or interface with the safety network. Laptops used in safety system applications should also be dedicated to that purpose and include no USB ports or CD drives. Password security should be revisited. As is the case with many of these attacks, credentials can be harvested from trusted suppliers like engineering firms and systems integrators as well as from the owner/operator, so that should be considered as well.
From a cybersecurity product and solution standpoint, end users with a greater degree of maturity in their ICS cybersecurity practices will typically employ more advanced threat monitoring and detection methods, which can identify these kinds of complex, multi-stage, systemic attacks early. These kinds of attacks typically take place over the course of many months, and when the threat is discovered, mitigating it is not always as simple as flicking a switch. By being more proactive in our efforts to guard against and detect these types of threats, we can greatly reduce their likelihood and impact.