Investigative reporting in today’s New York Times by Nicole Perlroth and Clifford Kraus:

In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant. It was meant to sabotage the firm’s operations and trigger an explosion. The attack was a dangerous escalation in international cyberwarfare, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage.

The [TRITON] attack was most likely intended to cause an explosion that would have killed people.

  • What worries investigators and intelligence analysts the most is that the attackers compromised Schneider’s Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants. If attackers developed a technique against Schneider equipment in Saudi Arabia, they could very well deploy the same technique in the US.

… it is only a matter of time before they deploy the same technique against another industrial control system. A different group could also use those tools for its own attack.

  • The only thing that prevented significant damage was a bug in the attackers’ computer code that inadvertently shut down the plant’s production systems.

The August attack was far more sophisticated than any previous attack originating from Iran [like Shamoon in 2012 and 2017], but there is a chance Iran could have improved its cyberwarfare abilities or worked with another country, like Russia or North Korea.

  • The assault was the most alarming in a string of cyberattacks on petrochemical plants in Saudi Arabia. In January 2017, computers went dark at the National Industrialization Company, Tasnee for short, which is one of the few privately owned Saudi petrochemical companies. Computers also crashed 15 miles away at Sadara Chemical Company, a joint venture between the oil and chemical giants Saudi Aramco and Dow Chemical [these attacks were not previously reported].

  • Tasnee said in an email that it had hired experts from Symantec and IBM to study the attack against it.

[Tasnee] said it had also “completely overhauled our security standards” and started using new tools to prevent cyberattacks.