Following from Microsoft’s announcement that it will be looking to build better partnerships with other industry-leading companies to prevent tech support scams the Redmond giant has made another important announcement. While much of the tech industry was looking at the release of the new Windows 10 update, at the Hannover Messe 2018, an industrial trade show, Microsoft announced plans to secure both IoT (Internet of Things) devices and ICS (Industrial Control Systems) operations. The new project has been codenamed Trusted Cyber-Physical Systems or TCPS for short.
According to Microsoft, TCPS systems are designed to utilize three elements to catch and block intrusions. The first being is a hardware-level Trusted Execution Environments (TEEs). Simply put a TEE is a secure area of the main processor. It guarantees code and data loaded inside to be protected from attacks. Such systems were designed to process highly-sensitive information, information hackers are always trying to get at. The reason for this is that many low-level IoT or ICS systems lack a hardware level TEE making them incredibly vulnerable to attack. For such systems Microsoft will be able to provide what they term is a “brownfield gateway,” which operates as an intermediary point that funnels all commands from upstream equipment to IoT devices, sensors, actuators, or safety control systems through one server/host thus supporting a TEE.
The second measure has been planned will incorporate a graphical user interface (GUI) that is meant to appear on what Microsoft considers a “Secure Confirmation Terminal,” operated by a trusted employee. This will operate when a TEE gateway receives a command to execute certain operations, the GUI will display a prompt to the trusted employee on a trusted terminal. This measure should help ensure that no code executes unless it gets approval from the human operator. Once approval is granted by the user the new measure will then instruct the TEE to cryptographically sign the command. Lastly, that command is then forwarded for use by the rest of the system.
Lastly, the third measure that will be employed is a cloud-based platform that could be used for provisioning, key management, certificate authority, patch management, and tamper-proof logging. As this is a Microsoft project it would inevitably mean that cloud-based platform mentioned above will have Azure as the go-to platform.
Response to Triton Malware
Within the report on Microsoft’s plan, linked at the start of this article, it was cited that the recent attacks with the Trisis/Triton malware as the reason it started working on TCPS. Towards the end of 2017, researchers at FireEye released a report detailing Triton. The offending piece of malware could be seen as the successor to the infamous Stuxnet incident which targeted the Iranian nuclear program. The report revealed that the Triton malware was disguised to look like legitimate Triconex SIS controller management software for Windows workstations. A Safety Instrumented System (SIS) controller is a piece of specialized equipment installed on production lines or other industrial setups. They are designed to read data from industrial equipment, such as factory machinery, robots, valves, motors, and others. The data is then analyzed within certain parameters. If data deviates from a predetermined safety margin, the SIS controller takes a set of actions. In extreme cases, the controller can shut down an entire factory or production line. While obviously affecting production and income, the system is designed to ultimately protect human lives and equipment.
The malware hidden inside this fake software would read the configuration files it found on the infected SIS engineering workstation, identify SIS controllers, and attempt to deploy certain payloads. The payloads were configured to either shut down the production process or allow SIS-controlled machinery to work in an unsafe state. This would most likely mean that the attackers intended to cause physical damage to the target system. Triton as well as similar styled ICS attacks are increasing in frequency and pose a very real danger.
On March 15, the New York Times reported that a petrochemical company with a plant in Saudi Arabia was hit by an attack designed to inflict serious physical damage upon an ICS controller. It is believed that the malware used was Triton. The attack reportedly occurred in August of 2017, however, investigators have been tight-lipped about the attack and still refuse to identify the company or the country where it is based and have not identified the culprits. In the news article, it was reported that the only reason no serious damage or loss of life occurred was due to a mistake in the malware’s code. While there was a mistake it was clear from the initial analysis of the attack that the attackers, however they may be, were well funded and professional. The attack was clearly done by experienced hackers leading investigators to believe the act was carried out by a state-sponsored group.
Energy and security experts believe the attack could have been an attempt to complicate Crown Prince Mohammed bin Salman’s plans to encourage foreign and domestic private investment to diversify the Saudi economy and produce jobs for the country’s growing youth population.
A Step in the Right Direction
For years experts have been arguing that tech industry leaders need to be placing more emphasis on securing IoT devices and ICS systems. Often such hacks are hyped in the media to an Armageddon level event, which in hindsight detracts from the real dangers posed by Triton attacks. As the list grows of such attacks a more concerted effort by government and corporations is required. To date live attacks include the likes of Industry and BlackEnergy deployed in Ukraine, Sandworm deployed in the US, and Stuxnet deployed in Iran. Thus Microsoft’s new stance on the matter will hopefully help slow and prevent the escalation of such attacks.