Visibility Solutions

Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.

Resources

Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.

Blog

The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners

Partners

Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.

Company

Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.

Contact

Whether you are ready to make a network TAP your foundation of visibility or just have questions, please contact us. Ask us about the Garland Difference!

How to Defend Against TRITON Industrial Malware?

For all the concerns over Industrial Ethernet and IIoT security in recent years, there aren’t many identified malware families poised to take down critical infrastructure.

In fact, since the 2010 Stuxnet attack in Iran, there have only been a handful of unique malware kits in the industrial sector. However, security researchers recently uncovered the latest malware targeting critical infrastructure—TRITON.

Protecting industrial networks is of the utmost importance. Now that TRITON has emerged, let’s look at what exactly this malware is and discuss how to defend against it.

Breaking Down the TRITON Malware Threat


In mid-December 2017, cybersecurity firm Mandate was called to investigate suspicious activity when an attacker deployed TRITON to manipulate Triconex safety instrumented systems (SIS).

According to the FireEye report, the attack resulted in operational shutdown of some SIS controllers. However, the shutdown was the result of a safety mechanism. Reportedly, the nation-state actor behind the attack meant to gain remote access of the SIS workstation, reprogram the controllers, and cause a safety incident that resulted in physical damage.

Although the operational shutdown was inadvertent, OT managers still must understand the threat TRITON poses. The TRITON tool contains many different features (most of which were not used for this particular incident). FireEye says that TRITON gives attackers the ability to:

  • Read and write programs
  • Alter individual functions within the SIS controller
  • Query the state of individual SIS controllers
  • And communicate remotely to deliver attacker-defined payloads

>> Download now: Learn how to secure your industrial network
[Free Whitepaper]

Like other critical infrastructure attacks, data exfiltration is not the end-goal of TRITON attacks. Rather, the features included in the malware kit help attackers maneuver around safety controls and secure a foothold in the Industrial Ethernet network and cause malfunctions in the infrastructure.
Luckily, the attacker modified application memory on the target SIS controllers, leading to validation failure and immediate safe shutdown.

The attacker in this incident may have tripped a safety protocol. But that doesn’t mean TRITON can’t be used against your industrial control system. Knowing about the malware is part of the battle—defending against it is the real challenge.

Defending Against Industrial Threats (Including TRITON)

Any time there’s a report of new malware, security researchers lay out a few key recommendations. In the case of TRITON, here’s what FireEye had to say:

  • Segregate safety system networks from process control/information system networks
  • Physically program safety controllers
  • Leverage unidirectional gateways for applications using data from SIS controllers
  • Practice strict access control and application whitelisting
  • And monitor ICS network traffic for potential anomalies from your baseline activity


TRITON aside, these are all great ways to keep your unique industrial infrastructure safe. But there’s still a question of how to execute all of these recommendations.

The key to defending against TRITON and other industrial threats is to implement network elements that spot 100% of the anomalies FireEye mentions. Listen-only devices like passive network TAPs copy your SIS controller and other network data, send it to an analyzer or deep packet inspector, and keep your managers ahead of any possible breaches.

Using passive network TAPs in conjunction with the latest innovative monitoring tools is the best way to see every bit, byte, and packet® that travels across your industrial network. And when you have total visibility, you can defend yourself against the subtle anomalies that attackers try to sneak through with malware like TRITON.

Defending Industrial Ethernet Network Security Garland Technology

Written by Jerry Dillard

Jerry Dillard leverages two decades in design and engineering to ensure maximum performance within today’s network environments. Dillard, as the inventor of the Bypass Network Test Access Point (TAP), has secured his legacy as he continues to provide network solutions for data centers worldwide.