Hackers Attack Safety System, Shut Down Plant

By Editors of Power Engineering

Makers of industrial software confirmed the operations of a plant was halted by a cyberattack by hackers likely working for a national government.

Reuters reported the attack targeted Triconex industrial safety technology from Schneider Electric SE.

Schneider, as well as cybersecurity company FireEye, confirmed the attack but did not identify the victim, industry or location of the attack. Security company Dragos said the target was somewhere in the Middle East, while CyberX said the victim was in Saudi Arabia.

Schneider issued a security alert to users of Triconex, which Reuters said is widely used by the energy industry.

“While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” the alert said.

The attack is believed to be the first report of a safety system breach at an industrial plant by hackers. Reuters noted a safety system breach could allow hackers to attack other parts of an industrial plant and prevent operators from detecting the hack.

In the incident reported by Schneider and FireEye, hackers used malware called Triton to take control of a workstation, then worked to reprogram controllers used to identify safety issues. Operators noticed the attack when some controllers entered a failsafe mode and caused related processes to shut down.

FireEye said the shutdown was an accident as hackers were probing the system to see how it worked and learn how to modify safety features.

Schneider is now working with the U.S. Department of Homeland Security to investigate the attack.

Triton is now the third type of malware known to disrupt industrial processes. Stuxnet was used in 2010 to attack Iran’s nuclear program, while Crash Override, otherwise known as Industroyer, was discovered in 2016 in an attack that brought down power in the Ukraine.