FacebookTwitterLinkedIn

Microsoft on a Mission to Secure IoT Devices

Karolis Liucveikis Written by on (updated)

Following from Microsoft’s announcement that it will be looking to build better partnerships with other industry-leading companies to prevent tech support scams the Redmond giant has made another important announcement. While much of the tech industry was looking at the release of the new Windows 10 update, at the Hannover Messe 2018, an industrial trade show, Microsoft announced plans to secure both IoT (Internet of Things) devices and ICS (Industrial Control Systems) operations. The new project has been codenamed Trusted Cyber-Physical Systems or TCPS for short.

According to Microsoft, TCPS systems are designed to utilize three elements to catch and block intrusions. The first being is a hardware-level Trusted Execution Environments (TEEs). Simply put a TEE is a secure area of the main processor. It guarantees code and data loaded inside to be protected from attacks. Such systems were designed to process highly-sensitive information, information hackers are always trying to get at. The reason for this is that many low-level IoT or ICS systems lack a hardware level TEE making them incredibly vulnerable to attack. For such systems Microsoft will be able to provide what they term is a “brownfield gateway,” which operates as an intermediary point that funnels all commands from upstream equipment to IoT devices, sensors, actuators, or safety control systems through one server/host thus supporting a TEE.

The second measure has been planned will incorporate a graphical user interface (GUI) that is meant to appear on what Microsoft considers a “Secure Confirmation Terminal,” operated by a trusted employee. This will operate when a TEE gateway receives a command to execute certain operations, the GUI will display a prompt to the trusted employee on a trusted terminal. This measure should help ensure that no code executes unless it gets approval from the human operator. Once approval is granted by the user the new measure will then instruct the TEE to cryptographically sign the command. Lastly, that command is then forwarded for use by the rest of the system.

microsoft to secure iot devices

Lastly, the third measure that will be employed is a cloud-based platform that could be used for provisioning, key management, certificate authority, patch management, and tamper-proof logging. As this is a Microsoft project it would inevitably mean that cloud-based platform mentioned above will have Azure as the go-to platform.

Response to Triton Malware

Within the report on Microsoft’s plan, linked at the start of this article, it was cited that the recent attacks with the Trisis/Triton malware as the reason it started working on TCPS. Towards the end of 2017, researchers at FireEye released a report detailing Triton. The offending piece of malware could be seen as the successor to the infamous Stuxnet incident which targeted the Iranian nuclear program. The report revealed that the Triton malware was disguised to look like legitimate Triconex SIS controller management software for Windows workstations. A Safety Instrumented System (SIS) controller is a piece of specialized equipment installed on production lines or other industrial setups. They are designed to read data from industrial equipment, such as factory machinery, robots, valves, motors, and others. The data is then analyzed within certain parameters. If data deviates from a predetermined safety margin, the SIS controller takes a set of actions. In extreme cases, the controller can shut down an entire factory or production line. While obviously affecting production and income, the system is designed to ultimately protect human lives and equipment.


The malware hidden inside this fake software would read the configuration files it found on the infected SIS engineering workstation, identify SIS controllers, and attempt to deploy certain payloads. The payloads were configured to either shut down the production process or allow SIS-controlled machinery to work in an unsafe state. This would most likely mean that the attackers intended to cause physical damage to the target system. Triton as well as similar styled ICS attacks are increasing in frequency and pose a very real danger.

On March 15, the New York Times reported that a petrochemical company with a plant in Saudi Arabia was hit by an attack designed to inflict serious physical damage upon an ICS controller. It is believed that the malware used was Triton. The attack reportedly occurred in August of 2017, however, investigators have been tight-lipped about the attack and still refuse to identify the company or the country where it is based and have not identified the culprits. In the news article, it was reported that the only reason no serious damage or loss of life occurred was due to a mistake in the malware’s code. While there was a mistake it was clear from the initial analysis of the attack that the attackers, however they may be, were well funded and professional. The attack was clearly done by experienced hackers leading investigators to believe the act was carried out by a state-sponsored group.

Energy and security experts believe the attack could have been an attempt to complicate Crown Prince Mohammed bin Salman’s plans to encourage foreign and domestic private investment to diversify the Saudi economy and produce jobs for the country’s growing youth population.

A Step in the Right Direction

For years experts have been arguing that tech industry leaders need to be placing more emphasis on securing IoT devices and ICS systems. Often such hacks are hyped in the media to an Armageddon level event, which in hindsight detracts from the real dangers posed by Triton attacks. As the list grows of such attacks a more concerted effort by government and corporations is required. To date live attacks include the likes of Industry and BlackEnergy deployed in Ukraine, Sandworm deployed in the US, and Stuxnet deployed in Iran. Thus Microsoft’s new stance on the matter will hopefully help slow and prevent the escalation of such attacks.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog