Through the Eyes of the Attacker: Designing Embedded Systems Exploits for Industrial Control Systems

Conference:  Defcon 26



The presentation discusses the ease of exploiting and implanting industrial control systems and the potential for copycat attacks.
  • Obtaining documentation and engineering software is relatively easy
  • Exploit development is easy due to lack of exploit mitigations
  • Implant development is relatively easy
  • Copycat attacks are expected to increase
  • Attack timing and coordination is crucial
  • Reliability of exploit and implant is important
  • Exploiting the device involves obtaining necessary material and the device itself
The presenters were able to obtain the necessary documentation for the TriConnects system from the US Nuclear Regulatory Commission website. They also found the TriStation software for only three US dollars on a Chinese website. This illustrates how easy it can be to obtain the necessary materials for exploiting and implanting industrial control systems.


In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting a petrochemical plant in Saudi Arabia. TRITON was designed to compromise the Schneider Electric Triconex line of Safety Instrumented Systems (SIS), potentially in order to cause physical damage. TRITON is the most complex publicly known ICS attack framework to date and the first publicly known one to target safety controllers. While the functionality of the malware is understood, little is known about the complexity of developing such an implant. The goal of this talk is to provide the audience with a “through the eyes of the attacker” experience in designing advanced embedded systems exploits & implants for Industrial Control Systems (ICS). Attendees will learn about the background of the TRITON incident, the process of reverse-engineering and exploiting ICS devices and developing implants and OT payloads as part of a cyber-physical attack and will be provided with details on real-world ICS vulnerabilities and implant strategies. In the first part of the talk we will provide an introduction to ICS attacks in general and the TRITON incident in particular. We will outline the danger of TRITON being repurposed by copycats and estimate the complexity and development cost of such offensive ICS capabilities. In the second and third parts of the talk we will discuss the process of exploiting ICS devices to achieve code execution and developing ICS implants and OT payloads. We will discuss real-world ICS vulnerabilities and present several implant scenarios such as arbitrary code execution backdoors (as used in TRITON), pin configuration attacks, protocol handler hooking to spoof monitored signal values, suppressing interrupts & alarm functionality, preventing implant removal and control logic restoration and achieving cross-boot persistence. We will discuss several possible OT payload scenarios and how these could be implemented on ICS devices such as the Triconex safety controllers. In the final part of the talk we'll wrap up our assessment of the complexity & cost of developing offensive ICS capabilities such as the TRITON attack and offer recommendations to defenders and ICS vendors.