PROJECT
TRITON
The First ICS Cyberattack on Safety Instrument Systems
Overview
TRITON (also known as TRISIS or HatMan), is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). SIS are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire.
Based on the significance of this industrial cyberattack, it warranted an in-depth analysis. Our team’s challenge was to learn how to turn an undocumented device – the Triconex controller from Schneider Electric, which was the target of the attack – into malicious code. Using a variety of techniques, they succeeded in putting together a working system and reverse engineered the TriStation suite of software.
While the TRITON malware attack failed to deliver a malicious OT payload, our team successfully used its capabilities to implement new programs in the Triconex controller and execute a malicious payload.
Our research shows that the effort, skills and financial resources needed to create the TRITON malware are not that high – certainly not at the level where nation state-sponsored resources are required.
Our findings allowed us to develop two new tools [2] to help the ICS community secure Triconex SIS. The first tool, the TriStation Protocol Plug-in for Wireshark, allows an engineer to visually see and comprehend TriStation communications. The second tool, the Triconex Honeypot Tool, can be used by defense teams to simulate SIS controllers on the network.
Reports
TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload
How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.
Tools
Tricotools
- TriStation Protocol Plug-in for Wireshark – facilitates seeing and comprehending TriStation communications and identifies hardware connected to the safety controller
- Triconex Honeypot Tool – simulates SIS controllers on the network, useful for detecting reconnaissance scans and capture malicious payloads
Labs Blogs
Black Hat: The Future of Securing Power Grid Intelligent Devices
Today at Black Hat USA we’re presenting an innovative power grid cyber security solution that greatly improves monitoring of intelligent electronic devices (IEDs).
Using the IEC 62351 standard for monitoring industrial networks, we demonstrate how four types of hard-to-detect attacks are readily identified.
Black Hat: Understanding TRITON, The First SIS Cyber Attack
Today at Black Hat USA I am part of a team speaking about the landmark TRITON malware attack. We are presenting new research on TRITON, releasing two tools to help defend against it and publishing a white paper summarizing our findings.
The TRITON malware attack went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System (SIS). Asset owners should act immediately to secure their SIS — and the information in our white paper will help.
New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol
In 2017, TRITON malware was used to attack a gas facility, directly interacting with its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research to better understand how TRITON works.
Today we released a Wireshark dissector for the TriStation protocol on GitHub to help the ICS community understand SIS communications. Our complete TRITON analysis will be presented at Black Hat USA 2018.

© 2022 Nozomi Networks, Inc.
All Rights Reserved.