Multinational industrial services company Schneider Electric recently uncovered malware which was purposefully designed to shut down its safety controllers... you know, the types of control boxes used in nuclear power plants.
Called Trisis, the malware was kept under wraps by Schneider for obvious reasons. However, an employee for the company (we presume) mistakenly posted it, a file entitled library.zip, to Google's malware research site VirusTotal.
The file was obtained by Schneider during an investigation into data breaches in Saudi Arabia and elsewhere. Whilst the malware was known about by technology security companies, it wasn't until the upload that researchers could accurately piece together the fragments of the software in order to confirm what it is and does. It has to be used in conjunction with another file, called Trilog.exe, to inflict its damage.
According to a report in Cyberscoop, it is only the fifth piece of malware ever identified that could take over industrial safety control systems. Obviously, the purpose of Trisis is to shut down a facility which uses Schneider's Triconex safety controllers, leading to the facility to breach safety thresholds and cause considerable environmental and/or physical harm.
As FireEye puts it:
The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message.
The first victim of Trisis was a facility run by Saudi Aramco in September 2017. Although the software was quickly removed from VirusTotal, it was copied by malware researchers to other public repositories before the action was undertaken by Schneider.
Trisis would require quite a few steps to attack a system, which includes the uploading of new code to the Triconex systems. Of course, each step would need to be done "invisibly" and even when all steps are complete, Trisis only removes the safety thresholds. It doesn't necessarily bring a power plant down per se, but could make it unsafe.
Whilst this is only the fifth such malware in existence, the public exposure of its code does invite problematic considerations. Firstly, FireEye believes that the software was developed by a nation state. Secondly, the very possibility of "slow contravention" in this way invites such malware to cause a slow-burn: rather than a quick shut-down of everything, the attacker simply adds additional pieces to the jigsaw until the final act is ready to execute.
Sorry if that all sounds rather dramatic but, you know, it's easier to react when it involves a reactor.