TRITON / TRISIS
What is TRITON / TRISIS?
TRITON / TRISISMalware discovered in 2017 that targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant, attributed to a Russia-linked actor.
TRITON (also called TRISIS or HatMan) is the first publicly disclosed malware designed to attack a Safety Instrumented System. In 2017 it was discovered on engineering workstations at a Saudi Arabian petrochemical plant, where it interacted with Schneider Electric Triconex SIS controllers using the proprietary TriStation protocol. The attackers uploaded a custom payload ("inject.bin") to the SIS firmware in an attempt to either reprogram the safety logic or trigger an unsafe state; a logic mismatch caused the controllers to fault-stop the plant, exposing the campaign. U.S. authorities have publicly attributed TRITON to the Russian state research institute TsNIIKhM. The incident pushed the industry to enforce strict SIS-BPCS separation and to deploy SIS-aware intrusion detection.
● Examples
- 01
Uploading a malicious payload through the TriStation protocol on Triconex MP3008 controllers.
- 02
Attempting to reprogram SIS logic so that an unsafe condition would no longer trip the plant.
● Frequently asked questions
What is TRITON / TRISIS?
Malware discovered in 2017 that targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant, attributed to a Russia-linked actor. It belongs to the OT / ICS / IoT category of cybersecurity.
What does TRITON / TRISIS mean?
Malware discovered in 2017 that targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant, attributed to a Russia-linked actor.
How does TRITON / TRISIS work?
TRITON (also called TRISIS or HatMan) is the first publicly disclosed malware designed to attack a Safety Instrumented System. In 2017 it was discovered on engineering workstations at a Saudi Arabian petrochemical plant, where it interacted with Schneider Electric Triconex SIS controllers using the proprietary TriStation protocol. The attackers uploaded a custom payload ("inject.bin") to the SIS firmware in an attempt to either reprogram the safety logic or trigger an unsafe state; a logic mismatch caused the controllers to fault-stop the plant, exposing the campaign. U.S. authorities have publicly attributed TRITON to the Russian state research institute TsNIIKhM. The incident pushed the industry to enforce strict SIS-BPCS separation and to deploy SIS-aware intrusion detection.
How do you defend against TRITON / TRISIS?
Defences for TRITON / TRISIS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for TRITON / TRISIS?
Common alternative names include: TRITON, TRISIS, HatMan.
● Related terms
- ot-iot№ 957
Safety Instrumented System (SIS)
An independent control system that brings a process to a safe state when monitored variables exceed defined limits, protecting people, environment, and assets.
- ot-iot№ 529
Industrial Control System (ICS)
An umbrella term for systems that automate and supervise industrial processes, including SCADA, DCS, PLCs, RTUs, and safety controllers.
- ot-iot№ 1111
Stuxnet
A highly sophisticated 2010 worm that sabotaged Iran's uranium-enrichment centrifuges by reprogramming Siemens PLCs, widely attributed to the United States and Israel.
- ot-iot№ 530
Industroyer / CrashOverride
Modular ICS malware used in the 2016 Ukraine power-grid attack and updated as Industroyer2 in 2022, capable of speaking native grid protocols to trip substations.
- ot-iot№ 762
Operational Technology (OT)
Hardware and software that monitor and control physical processes, devices, and infrastructure such as factories, power plants, and utilities.
- ot-iot№ 513
IEC 62443
The IEC family of standards for the cybersecurity of industrial automation and control systems, addressing asset owners, integrators, and product suppliers.