Published on 25 Mar 2022 | Updated on 25 Mar 2022
SingCERT has received information of an ongoing campaign by threat actors targeting Industrial Control Systems (ICS) systems. This is the same campaign as reported by the United States Federal Bureau of Investigation (FBI). The threat actors would typically target the Safety Instrumented Systems (SIS) of an industrial process, which is used to initiate safe shutdown procedures in the event of an emergency. In the case whereby the SIS fails to initiate its shutdown procedures, potential consequences include damage to a facility, system downtime or even loss of life.
This advisory provides some background information about ICS and SIS, as well as recommended measures that operators and owners of ICS systems can take to secure their SIS.
What are Industrial Control Systems (ICS)
ICS is a collective term used to describe several types of control systems and associated instrumentation used to control industrial processes such as manufacturing, product handling, production, and distribution. It may also include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, distributed control systems (DCS), and smaller control systems using programmable logic controllers (PLC) to control localised processes. Such systems are extensively used in industries such as chemical processing, power generation and distribution, oil and gas processing, and telecommunications.
What are Safety Instrumented Systems (SIS) and its Importance
SIS are composed of sensors, logic solvers, and final control elements (e.g. valves, relays, actuators) typically present in critical process systems within industrial processes. The purpose of SIS is to ensure that critical/dangerous industrial processes are operating within safe limits and to isolate or shutdown any process(es) which breach the aforementioned limits. Examples of SIS include Emergency Shutdown Systems, Emergency Venting systems, Safety Shutdown Systems and High-integrity Pressure Protection systems.
Threats to SIS
In recent years, there has been an observable increase in attacks involving ICS systems globally. Such attacks may take the form of malicious software specifically designed to target systems/components of ICS. Examples of such malware include TRITON, Industroyer and Havex. As SIS are essentially fail-safe systems, threat actors will typically need to disable them to attain total control of any process system.
A notable example of an attack on an ICS system is the 2017 TRITON malware attack in Saudi Arabia, where a critical infrastructure’s Schneider Electric Triconex SIS was compromised by the malware, causing the safety controllers to enter ‘fail safe’ mode and shut down the industrial process. As a result, operations in nuclear, oil and gas plants were disrupted. Schneider Electric has addressed the vulnerability (with the Tricon model 3008 v10.0-10.4) when version 11.3 of the Tricon controller was released in June 2018. However, older versions of the controller remain in use and are vulnerability to a similar attack. Operators and owners of the affected product are reminded to upgrade to the latest patched version as soon as possible to secure their SIS if a vulnerable version is still being used.
An ICS may be vulnerable due to the following factors:
As such, it is important for operators and owners of ICS systems to take proactive steps to strengthen their systems, maintain business continuity plans to minimise essential service interruptions (or safety breaches) and pre-emptively evaluate potential continuity and capability gaps. Operators and owners of ICS systems should maintain the integrity of their SIS to ensure that their industrial processes are operating within safe (or defined) limits.
Recommendations to Secure SIS
Owners and operators of ICS systems are advised to consider the following measures to secure their SIS:
Report any Cybersecurity Incident to SingCERT
If your organisation is a victim of any cybersecurity incident (involving ICS systems or otherwise), report the incident at https://go.gov.sg/singcert-incident-reporting-form.
References:
https://www.mandiant.com/resources/attackers-deploy-new-ics-attack-framework-triton
https://www.csa.gov.sg/news/publications/ot-cybersecurity-masterplan
https://www.cisa.gov/uscert/ncas/alerts/aa22-083a
https://www.cisa.gov/uscert/ics/advisories/ICSA-18-107-02