From the Schneider Electric announcement:
Malware Discovered Affecting Triconex Safety Controllers V1.1 December 14, 2017
Overview
____________________________________________________________________________
Schneider Electric is aware of a directed incident affecting a single customer’s Triconex Tricon safety shutdown system.
____________________________________________________________________________
We are working closely with our customer
, independent cybersecurity organizations and ICS- CERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors. It is important to note that in this instance , the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment.
Triconex user documentation contains detailed security guidelines and recommendations on how to protect Triconex systems from attack. We strongly encourage all our customers to follow these recommendations regarding product use and security, as well as apply and follow industry-recognized cybersecurity best practices at all times to protect their installations:
• Ensure the cybersecurity features in Triconex solutions are always enabled;
• Never leave the front panel key position in the “Program” mode when not actively
configuring the controller;
• And ensure all TriStation terminals, safety controllers and the safety network are isolated
from the rest of the plant communication channels.
Also, review and assess your site’s cyber preparedness. Schneider Electric is a proponent of the NIST Cyber Security Framework and is ready to assist should this be necessary.
The Schneider Electric Product Security Office continues to work with ICS-CERT and will update this advisory as more information becomes available.
Details
The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.