DESIGNED TO KILL
Startup on the lookout for malware made to cause deadly disasters
The cyber threat hunters had honed their chops at the National Security Agency; the world’s premier electronic spy agency. Last fall, they were analyzing malware samples from around the world when they stumbled across something highly troubling: The first known piece of computer software designed to kill humans.
The researchers, who launched their own firm several years ago, determined that the malicious computer code was created to sabotage a safety system whose sole purpose is to avert fatal
accidents. When the system fails, the chance of a deadly accident — in this case, a petrochemical plant — greatly increases.
“The only purpose of these safety systems is to protect human life,” said Robert M. Lee, co-founder of Dragos, who conducted cyber operations for the NSA and U.S. Cyber Command from 20112015. “The only reason to sabotage them is to kill people.”
Dragos, based in a techno-hip warehouse in Hanover, Maryland, is at the forefront of a new line of business for cybersecurity firms. It focuses on industrial control systems: The machines that make oil, gas and electricity flow; pump water and create chemicals.
A larger and better-known cyber firm, FireEye, independently also identified the potentially deadly malware. Yet the obscure startup is the only company so far to have identified two separate strains of malware that were built to damage or destroy industrial control systems. Several U.S. and Western government agencies have turned to Dragos for analysis and insights on control system attacks.
Lee, 30, and his two Dragos co-founders — Jon Lavender and Justin Cavinee — gained crucial experience at the NSA, which employs a corps of highly skilled cyber operators. But after several years working at the NSA in industrial threat detection, they realized that gathering exquisite intelligence on adversaries who are bent on disrupting industrial control systems is one thing. Protecting the systems from those hacks is another.
So Dragos built a software product to help industrial companies detect cyber threats to their networks and respond to them. Its clients include energy, manufacturing and petrochemical factories in the United States, Europe and Middle East.
In October, Dragos discovered Trisis, a malware that targets a “safety instrumented system,” or a machine whose sole function is to prevent fatal accidents. In a petrochemical plant, for instance, there are machines that operate at very high pressures, and if a valve blows, the pressure or the leak of hazardous materials could kill a human being. But a safety instrumented machine is supposed to shut down the entire system to reduce the risk of a fatal accident.
There has been one known deployment of the Trisis malware — FireEye called it Triton — at a petrochemical
plant in Saudi Arabia last August. But a coding error prevented the malware from working as intended and a potential catastrophe was averted.
As of this week, the culprits behind Trisis were still active in the Middle East, Lee said. “It’s reasonable to assume that (what happened last year) is not a onetime event.’’
Though Dragos had some indication of who was responsible, the firm refrained from drawing a conclusion. “It wasn’t cut and dried,” Lee said. Dragos shared the malware with the Department of Homeland Security, but Lee argued against the
government seeking to assign blame.
“The best they could do is a well-reasoned guess,” he said. “There’s not the years’ worth of data on this event that would make attribution possible.”
Dragos’s policy of not publicly declaring who it believes is responsible for a malicious cyber campaign sets it apart from other cyber threat intelligence firms.
FireEye, for instance, says that attribution is “critically important” to its customers. To a Persian Gulf oil company, Iranian threats are existential, whereas state election boards would want to know if, for instance, the Russians had compromised their systems, said FireEye Director of Intelligence Analysis John Hultquist.
Knowing your attackers makes it easier to make the most of limited security budgets, he said.
For Dragos, however, “there’s no value to our customers” in identifying their attacker, Lee said, adding that an inaccurate attribution of responsibility could escalate tensions between states.
“Attribution is a political discussion,” he said. “When it comes to our customers’ networks, we want to stay away from the politics and focus on the defense.”
Put simply, he said, “nobody needs to be in anyone’s civilian infrastructure.”
If it’s a civilian power plant or manufacturing facility, “we have the full right to kick them out and we don’t need to know who they are.”