SANS Industrial Control Systems Security Blog

Triton/TriSIS - In Search of its Twin


Post provided by: Michael Assante, Director of Industrials and Infrastructure and SANS ICS & SCADA Lead at SANS Institute

The recent discovery of ICS-specific malware which targets Schneider Electric's Triconex Safety Instrumented Systems (SIS) with demonstrated capability of modifying system logic/programing, should prompt us to ask, "What is missing here?" Is the malware known as either Triton or TRISIS really an isolated capability that only focuses on the safety system inside of a larger industrial process? Or is there a more nefarious 3D chess game in play here?

Triton/TRISIS uses a library of protocol calls to download instructions to the safety controller in order to exercise their own programming. Everyone is surprised that a threat actor would spend time to focus on developing a safety system capability attack capability. Safety products have historically been more isolated than the DCS at a plant/facility (this has been slowly changing as convergence initiatives have shared networks, workstations, instruments).

Context matters, why target an SIS controller? There are two primary impacts that can be achieved and shown in Figure 1 below: 1) triggering a safety shutdown by reducing thresholds, etc. and 2) to deny the SIS of shutting down a process during dangerous conditions. If we consider normal architectures and the challenges associated with access then you realize that the larger more accessible and flexible DCS would be an easier target to accomplish a process shutdown. In fact, a DCS offers far more attack options to accomplish a controlled shutdown of a process. This leads me to believe that the "power over the safety controller" was likely to be used to deny a safe shutdown vice simple process disruption.


Figure 1: Elementary Drawing of DCS / SIS showing relative positioning

Denying a safety shutdown can be used by an attacker in a more random fashion of hiding until the process itself would float out of safe conditions based on operations or events or it can be waiting for the attacker to use an enabling attack on the DCS. In our ICS Kill-Chain (see Figure 2 below) we categorize impacts/actions in three categories a) Enabling, b) Initiating, c) Supporting. I believe Triton/TRISIS was designed to be a 'Supporting Attack' as an amplifying attack module in a larger operation that would include a DCS-targeted enabling attack with supporting modules (e.g. spoofing, etc.).

2018-01-29_13-05-05Figure 2: The Industrial Control System Cyber Kill Chain

This leads me to ask, where is Triton/TRISIS' DCS-focused twin? It is possible that the targeted facility was merely a test and development environment for Triton/TRISIS or it was an environment to test additional malware to include the twin (did the facility look beyond the SIS?). I believe the ICS community should be on watch for a sister capability that takes control of a DCS to drive a process into unsafe conditions. The combination of Triton/TRISIS and Capability-X would allow an attacker to drive a process into a hazardous state and achieve effects that range from equipment damage to release of materials/chemicals used in the process. I don't believe that opportunity (found access to a Schneider Electric Triconex) is enough to invest the resources and time to develop a one-off capability for process disruption. Access to the Triconex at the facility would indicate to me that the attacker could develop greater access to the DCS and other systems. Let's go back to the ICS Kill-Chain model and now ask where is the one-two punch that may justify this investment?

Michael Assante, Director of Industrials and Infrastructure and SANS ICS & SCADA Lead at SANS Institute

To view all upcoming SANS ICS courses and events, click here.


Free Stuff Reminder


Posted January 29, 2018 at 7:49 PM | Permalink | Reply

Dale Peterson

It is possible that the targeted facility was merely a test and development environment for Triton/TRISIS or it was an environment to test additional malware to include the twin (did the facility look beyond the SIS?)."
If so you have a reckless attacker. Who plays around and tests in a Safety System? If they make a mistake, people can die.
It also reinforces Ralph's contention in the S4x18 Closing Panel that perhaps this wasn't an elite nation state team.

Posted January 30, 2018 at 1:44 AM | Permalink | Reply

Gary Seifert

Concur. This was not a trivial investment of resources. I am one holding the opinion we have not seen the complimentary actions or attacks because it has simply not been the right time and place yet. They are likely out there and worth looking for. Good read Mike.

Posted January 30, 2018 at 2:52 PM | Permalink | Reply

Michael Assante

I agree with you on the reckless nature of the attacker. Unfortunately, there are several actors that have demonstrated reckless behavior in the past. Safety systems are the last line of defense in preventing specific hazards. Actors striving for cyber-to-physical effects/sabotage will in most cases need to manipulate a safety or protection system. I would be careful with the term elite, as it is more a measure of their skill and ability to assign the right expertise, not a measure of their restraint. It is also true to suggest that reckless is in the eye of the beholder. Future military cyber units will have missions that include destroying or degrading systems, facilities, and infrastructures. The use of force, whether it is cyber or more traditional destructive forces, requires context to determine if the force applied was justified and legal under the conventions for military action. There are most likely a number of skilled cyber actors that are developing their arsenals to cross the cyber-to-physical divide. I am also afraid that some of these actors don't have an eye for conventions. Triton/TRISIS is an example of developing a cyber-to-physical capability, but it must be paired with actions deeper in a control system. One with out the other represents a smaller risk (but to your point, messing with a safety system requires the actors to be willing to accept an industrial accident).

Posted February 1, 2018 at 3:44 PM | Permalink | Reply

Tim Roxey

I agree with the conjecture Mike presents that the DCS piece is missing. However, as we have said for many years now, getting a specific result in ICS attacks is hard. The ICS Kill Chain is a discussion around the steps necessary to ensure the adversaries efforts lead to truly predictable outcomes. It also informs the defender of things to be aware of so the adversary can be tripped up. How simple (Maybe??) is it to just flip SCADA points without absolute knowledge of the effects, just knowing effects there will be.
We were confident in those wonderful days of olde that the safeties (be that SIS or relay protection) would catch anything really (really) bad from happening. How different is our shirt sleeve assessment if we can no longer trust the safeties to be there for us. Weaponization can be a crude bomb or a sniper round of great precision.

Posted February 8, 2018 at 3:54 PM | Permalink | Reply

Scott Shondell

Is Schneider Electric's Triconex SIS used more heavily in certain industries or processes? Or possibly seen more prevalently in specific geographic areas or countries? I have to believe that the attacker chose Triconex for some purpose relating to the intended target. If this can be identified then possibly those industries can be on a higher alert for the proposed twin malware.