PROJECT

TRITON

The First ICS Cyber Attack on Safety Instrument Systems

Overview
TRITON (also known as TRISIS or HatMan), is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). SIS are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire.

Based on the significance of this industrial cyberattack, it warranted an in-depth analysis.  Our team’s challenge was to learn how to turn an undocumented device – the Triconex controller from Schneider Electric, which was the target of the attack – into malicious code.  Using a variety of techniques, they succeeded in putting together a working system and reverse engineered the TriStation suite of software.

While the TRITON malware attack failed to deliver a malicious OT payload, our team successfully used its capabilities to implement new programs in the Triconex controller and  execute a malicious payload.

Our research shows that the effort, skills and financial resources needed to create the TRITON malware are not that high – certainly not at the level where nation state-sponsored resources are required.

Our findings allowed us to develop two new tools [2] to help the ICS community secure Triconex SIS. The first tool, the TriStation Protocol Plug-in for Wireshark, allows an engineer to visually see and comprehend TriStation communications.  The second tool, the Triconex Honeypot Tool, can be used by defense teams to simulate SIS controllers on the network.

 Research Reports

TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload

How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.

Tools

Labs Blogs

Black Hat: Understanding TRITON, The First SIS Cyber Attack

Today at Black Hat USA I am part of a team speaking about the landmark TRITON malware attack. We are presenting new research on TRITON, releasing two tools to help defend against it and publishing a white paper summarizing our findings.

The TRITON malware attack went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System (SIS). Asset owners should act immediately to secure their SIS — and the information in our white paper will help.

read more

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol

In 2017, TRITON malware was used to attack a gas facility, directly interacting with its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research to better understand how TRITON works.

Today we released a Wireshark dissector for the TriStation protocol on GitHub to help the ICS community understand SIS communications. Our complete TRITON analysis will be presented at Black Hat USA 2018.

read more

New TRITON ICS Malware is Bold and Important

FireEye has reported that it has recently worked with an industrial operator whose facility was attacked by a new type of ICS malware, which they are calling TRITON. The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.

The TRITON attack is bold and notable because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Fortunately, because of the unique nature of how each plant implements its SIS and overall safety measures, the malware is not readily scalable.

read more

© 2019 Nozomi Networks, Inc.
All Rights Reserved.

Share This