Armis has announced its official participation in MITRE Engenuity’s initial round of ATT&CK® Evaluations for industrial control systems (ICS). In these tests, MITRE Engenuity used the MITRE ATT&CK® knowledge base to emulate the tactics and techniques used in the TRITON malware attack against a petrochemical facility in Saudi Arabia. This malware was used to interact with Triconex Safety Instrumented Systems (SIS) and represents the first publicly reported incident demonstrating a targeted attack with a known effect to an operational SIS. Armis provided 100% visibility of all IT & OT/ICS assets with real-time detection of all initial access and lateral movement.
“MITRE’s ATT&CK knowledgebase is widely recognized as the industry standard for tracking adversarial tactics and techniques, and these ICS evaluations are a crucial validation of the power of the Armis platform,” said Christopher Dobrec, Vice President, Product Marketing, Armis. “Recent attacks on water plants, oil and gas pipelines and other critical infrastructure prove that cyber resilience in these sectors is critical to ensure continued operations and even national security. Armis clearly stands up to MITRE Engenuity’s rigorous testing which means it will detect specific behaviors of potentially devastating malware like TRITON and can play a key role in securing OT and ICS environments.”
The TRITON malware is known to target safety systems, preventing operators from responding to failures, hazards and other unsafe conditions. This has the potential to cause physical destruction that can lead to fatal consequences. Russia’s Central Scientific Research Institute of Chemistry and Mechanics was responsible for developing TRITON, which enabled the attack against safety controllers in a Saudi refinery causing them to enter a failed safe state in an ultimately unsuccessful attack. This led the U.S. Department of Treasury to impose sanctions against the institute.
Armis is the security platform provider to address the expanding threat landscape of managed, unmanaged, IoT, OT, ICS, and IoMT devices. They have the ability to discover every device in the environment, track their behaviour, detect active vulnerabilities and threats, and protect critical business information and systems. On top of that, the platform passively monitors all traffic on the network and in the airspace to identify & classify every device and to understand each device’s behaviour without disrupting their operation. The core to the Armis Platform is the Device Knowledgebase which tracks over one billion devices, which contains unique device profile information that is used to understand not only what the device is and what it is doing, but also what it should be doing. This means that, when a device operates outside of its baseline, Armis can automatically remediate any threat.
“There are many products that offer different approaches to detecting ICS attacks, and these evaluations can help security practitioners better understand how they meet their organization’s needs in areas including the stage of attack when the detections occur, the types of data sources that can be collected and how information may be presented,” said Otis Alexander, who led the ATT&CK Evaluations for ICS. “Few organizations have the time and resources to install and test multiple products as they make decisions on what they need to defend their network, therefore our evaluations are intended to take some of the guesswork out of the process and provide clarity about how security products detect adversary activity.”
