WHAT’S THE STORY?
TRITON (also known as TRISIS or HatMan) is a new and destructive malware and framework that can alter and disrupt operations of safety instrumented systems (SIS). SIS are used across Oil and Gas, Chemicals, Utilities, and other sectors, to provide a mechanism to safely shut down an industrial process when it has encountered unsafe operating conditions.
WHAT DOES IT MEAN?
SIS, like main process control systems used at industrial plants, can be susceptible to a cyber attack or malware. TRITON can replace safety-functional logic with alternative logic crafted by the attacker which could, for example, fail to engage the safety system when an unsafe condition occurs, leading to infrastructure damage and potentially even loss of life. TRITON was purposefully built to target a specific brand of SIS—Triconex, manufactured by Schneider Electric. Its acts as legitimate software that is normally used to analyze SIS data and event logs.
WHAT CAN YOU DO?
Download the report and take practical steps today to protect your organization from future malware attacks like the TRITON/TRISIS threat model:
Physical controls—SIS controllers, like all other critical hardware components, should be kept in locked spaces, monitored and accessible only to authorized personnel.
Logical access control—Only authorized and properly controlled USB sticks, writable media, and programming laptops, should be used for system access. Portable media should be verified each time before being allowed to connect to SIS.
Network segmentation—SIS components should reside in an isolated network.
Configuration and change management—Industrial Control System (ICS) governance roles, processes, and tools should be in place to facilitate the correct and authorized deployment, maintenance and verification of SIS equipment and its configuration.
Security monitoring and scanning—Deploy network security monitoring technology, along with ICS vendor certified scanning technology, where possible.