TRITON / TRISIS
What is TRITON / TRISIS?
TRITON / TRISISMalware discovered in 2017 that targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant, attributed to a Russia-linked actor.
TRITON (also called TRISIS or HatMan) is the first publicly disclosed malware designed to attack a Safety Instrumented System. In 2017 it was discovered on engineering workstations at a Saudi Arabian petrochemical plant, where it interacted with Schneider Electric Triconex SIS controllers using the proprietary TriStation protocol. The attackers uploaded a custom payload ("inject.bin") to the SIS firmware in an attempt to either reprogram the safety logic or trigger an unsafe state; a logic mismatch caused the controllers to fault-stop the plant, exposing the campaign. U.S. authorities have publicly attributed TRITON to the Russian state research institute TsNIIKhM. The incident pushed the industry to enforce strict SIS-BPCS separation and to deploy SIS-aware intrusion detection.
● Examples
- 01
Uploading a malicious payload through the TriStation protocol on Triconex MP3008 controllers.
- 02
Attempting to reprogram SIS logic so that an unsafe condition would no longer trip the plant.
● Frequently asked questions
What is TRITON / TRISIS?
Malware discovered in 2017 that targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant, attributed to a Russia-linked actor. It belongs to the OT / ICS / IoT category of cybersecurity.
What does TRITON / TRISIS mean?
Malware discovered in 2017 that targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant, attributed to a Russia-linked actor.
How do you defend against TRITON / TRISIS?
Defences for TRITON / TRISIS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for TRITON / TRISIS?
Common alternative names include: TRITON, TRISIS, HatMan.