Hackers halt plant operations in watershed cyber attack

(Reuters) — Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.

FireEye Inc. disclosed the incident Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE.

Schneider confirmed the incident had occurred and that it had issued a security alert to customers of the technology, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.

FireEye and Schneider declined to identify the victim, industry or location of the attack. Cyber-security company Dragos said it targeted an organization in the Middle East, while a second firm, CyberX, said it believes the victim was in Saudi Arabia.

It marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on hacking into utilities, factories and other types of critical infrastructure, cyber experts said.

Such attacks could allow hackers to shut down safety systems in advance of attacking an industrial plant, which could prevent plants from identifying and halting destructive attacks on those facilities, they said.

The attack demonstrates that plant safety systems "could be fooled to indicate that everything is okay" when hackers are potentially damaging a plant in the background, said Galina Antova, co-founder of cyber-security firm Claroty.

"This is a watershed," said Sergio Caltagirone, head of threat intelligence with Dragos. “Others will eventually catch up and try to copy this kind of attack.”

In the incident, hackers used sophisticated malware to take remote control of a workstation running a Schneider Electric Triconex Tricon safety shutdown system, then sought to reprogram controllers used to identify potential safety issues. During that incident, some of the controllers entered a fail safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said.

FireEye believes the attacker's actions inadvertently caused the shutdown while probing the system to learn how it worked, Scali said. The attackers were likely conducting reconnaissance to learn how they could modify safety systems so they would not operate in the event that the hackers intended to launch an attack that disrupted or damaged the plant, he said.