What's the story?

TRITON (also known as TRISIS or HatMan) is a new and destructive malware and framework that can alter and disrupt operations of safety instrumented systems (SIS). SIS are used across Oil and Gas, Chemicals, Utilities, and other sectors, to provide a mechanism to safely shut down an industrial process when it has encountered unsafe operating conditions.

Download the Cyber Advisory Attack Summary [PDF]
Download the the Threat Analysis Technical Report [PDF]

What does it mean?

SIS, like main process control systems used at industrial plants, can be susceptible to a cyber attack or malware. TRITON can replace safety-functional logic with alternative logic crafted by the attacker which could, for example, fail to engage the safety system when an unsafe condition occurs, leading to infrastructure damage and potentially even loss of life. TRITON was purposefully built to target a specific brand of SIS—Triconex, manufactured by Schneider Electric. Its acts as legitimate software that is normally used to analyze SIS data and event logs.

What can you do?

Download the report and take practical steps today to protect your organization from future malware attacks like the TRITON/TRISIS threat model:

  • Physical controls—SIS controllers, like all other critical hardware components, should be kept in locked spaces, monitored and accessible only to authorized personnel.
  • Logical access control—Only authorized and properly controlled USB sticks, writable media, and programming laptops, should be used for system access. Portable media should be verified each time before being allowed to connect to SIS.
  • Network segmentation—SIS components should reside in an isolated network.
  • Configuration and change management—Industrial Control System (ICS) governance roles, processes, and tools should be in place to facilitate the correct and authorized deployment, maintenance and verification of SIS equipment and its configuration.
  • Security monitoring and scanning—Deploy network security monitoring technology, along with ICS vendor certified scanning technology, where possible.


Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks

Joshua Ray

Managing Director – Accenture Security

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog