Nozomi Networks Labs

Defending Critical Infrastructure Against Cyber Risk


Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations.

Through our cyber security research, and collaboration with industry and institutions, we’re helping defend the industrial systems that support everyday life.

Collaborating to Reduce ICS Cyber Risk

Nozomi Networks Labs is working with a broad range of experts, industry leaders and institutions to improve industrial cyber security.

If you’d like to work together, we’d love to hear from you!

NEW Mitsubishi Electric MELSEC-Q Series Ethernet Module  NCCIC ICS-CERT

NEW Nozomi Networks Labs Finds New Rockwell PLC Vulnerability BLOG  NCCIC ICS-CERT

 Research Reports

TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload

How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.


Radamsa Enhancement, Introducing PCAPNG Awareness

  • Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.

Threat Advisories

Labs Blogs

Nozomi Networks Labs Enhances Radamsa for Safer ICS Software

Nozomi Networks Labs is committed to conducting cyber security research that makes industrial organizations more secure. Our latest project involves enhancing Radamsa, an open source fuzzing tool for testing software.

Our new code makes it faster and easier to test devices that communicate over industrial networks, such as PLCs and RTUs, for security vulnerabilities.

read more

GreyEnergy Malware Research Paper: Maldoc to Backdoor

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.

Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.

read more

IEC 62351 Standards for Securing Power System Communications

To help counter the growing concern about cyberattacks aiming to disrupt power systems, industrial experts have been working together in WG15. This group, part of IEC, is defining the standards known as IEC 62351, for secure-by-design power grids.

As a member of WG 15 since 2015, I thought it might be helpful to inform you about these standards and provide an update on their status.

read more

Analyzing the GreyEnergy Malware: from Maldoc to Backdoor

GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years.

As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.

read more

GreyEnergy Malware Targets Industrial Critical Infrastructure

Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.

read more

Open Source Software Exposes ICS Device Vulnerabilities to Hackers

It’s disturbing to think that disruption and damage to our critical infrastructure can happen by simply combining the use of OSS tools with malicious intent. Fortunately, those same tools are being used by ICS security researchers around the world to increase industrial control systems cyber security.

Read on to learn why transportation, communications, energy and emergency services are so exposed, and what’s being done to close the ICS cyber security gap.

read more

Black Hat: Understanding TRITON, The First SIS Cyber Attack

Today at Black Hat USA I am part of a team speaking about the landmark TRITON malware attack. We are presenting new research on TRITON, releasing two tools to help defend against it and publishing a white paper summarizing our findings.

The TRITON malware attack went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System (SIS). Asset owners should act immediately to secure their SIS — and the information in our white paper will help.

read more

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol

In 2017, TRITON malware was used to attack a gas facility, directly interacting with its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research to better understand how TRITON works.

Today we released a Wireshark dissector for the TriStation protocol on GitHub to help the ICS community understand SIS communications. Our complete TRITON analysis will be presented at Black Hat USA 2018.

read more

New TRITON ICS Malware is Bold and Important

FireEye has reported that it has recently worked with an industrial operator whose facility was attacked by a new type of ICS malware, which they are calling TRITON. The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.

The TRITON attack is bold and notable because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Fortunately, because of the unique nature of how each plant implements its SIS and overall safety measures, the malware is not readily scalable.

read more

OT ThreatFeed

Click to enlarge.

Curated and maintained by Nozomi Networks Labs, the OT ThreatFeed™ provides threat and vulnerability updates to SCADAguardian and SCADAguardian Advanced, making it easy for IT/OT professionals to stay on top of current ICS risks.

“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”


Co-founders, Nozomi Networks

© 2019 Nozomi Networks, Inc.
All Rights Reserved.