TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems Forever

In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity.

This analysis and presentation will cover:

  • How the threat actors could have obtained the targeted equipment, firmware and documentation, based on our own experience,

  • The level of resources (time, money, expertise) required to develop a sophisticated embedded implant like TRITON,

  • The advanced methods used by the malware for a multi-stage injection of the backdoor into the controller of the Schneider Electric Triconex safety shutdown system, derived from both static and dynamic analysis of the code,

  • A demo of how the TRITON malware executes on a running Triconex controller,

  • Why did the attacker possibly failed to inject payload.

We will conclude with an appeal to vendors about the urgent need for equipment auditing and forensic tools. These tools must be developed before TRITON-like attacks become mass-scale and the time to start working on them is now; hacking is a fashion industry, as soon as a new exploitation technique becomes available, everybody jumps on the bandwagon.

This session will thus provide comprehensive insights into how one of the most sophisticated attacks on an ICS system to date was developed and how it could be detected during and post exploitation. This is important information for anyone seeking to secure critical infrastructure.

Presented by