The third method would allow attackers to create an unsafe state and prevent proper functionality of a system. Representatives with Schneider Electric could not immediately be reached for comment.
FireEye researchers say that a threat actor had targeted a company with TRITON malware that was disguised to look like legitimate Triconex SIS controller management software for Windows workstations.
They also likely performed advanced reconnaissance on their victim, which FireEye hasn't identified, because they knew it was using Triconex SIS controllers.
"We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage", the researchers said in a blog post. In 2010, the U.S. and Israel deployed the Stuxnet virus to destroy a number of Iran's nuclear centrifuges. Last year, one such attack known as Industroyer was used to disrupt Ukraine's power grid.
Triton wouldn't work on another critical infrastructure facility without being rewritten.
"Although the attack is not highly scalable, the tradecraft displayed is now available as a blueprint to other adversaries looking to target SIS and represents an escalation in the type of attacks seen to date as it is specifically created to target the safety function of the process", researchers with Dragos, who also analyzed the malware, wrote.
"Triton is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical effect".
The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check-resulting in an MP diagnostic failure message.
The malware hidden inside this fake software would read the configuration files it found on the infected SIS engineering workstation, identify SIS controllers, and attempt to deploy certain payloads.
These recommendations include segregating safety system networks from process control and information system networks, leveraging hardware features that provide for physical control of the ability to program safety controllers, and using a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
"Attacks on an industrial process that are as specific in nature as TRISIS are considerably hard to repurpose against other sites although the tradecraft does reveal a blueprint to adversaries to replicate the effort".
FireEye Inc disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE.
However, in this case, there was no clear financial goal - but the groups' persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship. Researchers at antivirus provider Symantec also provided a brief analysis here.