Nozomi Network Labs Project
The First ICS Cyberattack on Safety Instrument Systems
TRITON (also known as TRISIS or HatMan), is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). SIS are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire.
Based on the significance of this industrial cyberattack, it warranted an in-depth analysis. Our team’s challenge was to learn how to turn an undocumented device – the Triconex controller from Schneider Electric, which was the target of the attack – into malicious code. Using a variety of techniques, they succeeded in putting together a working system and reverse engineered the TriStation suite of software.
While the TRITON malware attack failed to deliver a malicious OT payload, our team successfully used its capabilities to implement new programs in the Triconex controller and execute a malicious payload.
Our research shows that the effort, skills and financial resources needed to create the TRITON malware are not that high – certainly not at the level where nation state-sponsored resources are required.
Our findings allowed us to develop two new tools  to help the ICS community secure Triconex SIS. The first tool, the TriStation Protocol Plug-in for Wireshark, allows an engineer to visually see and comprehend TriStation communications. The second tool, the Triconex Honeypot Tool, can be used by defense teams to simulate SIS controllers on the network.
- TriStation Protocol Plug-in for Wireshark – facilitates seeing and comprehending TriStation communications and identifies hardware connected to the safety controller
- Triconex Honeypot Tool – simulates SIS controllers on the network, useful for detecting reconnaissance scans and capture malicious payloads