TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever

The presentation discusses the Triton malware and its potential impact on industrial control systems. It highlights the ease with which foreign actors can build such attacks and the importance of protecting against cyber physical attacks.

• Industrial control systems are specialized computing systems used to monitor and control physical applications in industries such as power generation and manufacturing.
• Triton is a multi-stage malware that searches for vulnerable firmware versions and escalates privileges to write backdoors into memory.
• The malware corrupts memory and changes pointers to execute the backdoor, which becomes part of the firmware and reacts to specific function calls.
• The presentation includes a demonstration of Triton in action, using a compressor connected to a balloon to illustrate the potential impact of cyber physical attacks.
• The presentation emphasizes the importance of protecting against cyber physical attacks and the ease with which foreign actors can build such attacks.

The presentation includes a demonstration of Triton in action, using a compressor connected to a balloon to illustrate the potential impact of cyber physical attacks.

In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity. This analysis and presentation will cover: - How the threat actors could have obtained the targeted equipment, firmware and documentation, based on our own experience, - The level of resources (time, money, expertise) required to develop a sophisticated embedded implant like TRITON, - The advanced methods used by the malware for a multi-stage injection of the backdoor into the controller of the Schneider Electric Triconex safety shutdown system, derived from both static and dynamic analysis of the code, - A demo of how the TRITON malware executes on a running Triconex controller, - Why did the attacker possibly failed to inject payload. We will conclude with an appeal to vendors about the urgent need for equipment auditing and forensic tools. These tools must be developed before TRITON-like attacks become mass-scale and the time to start working on them is now; hacking is a fashion industry, as soon as a new exploitation technique becomes available, everybody jumps on the bandwagon. This session will thus provide comprehensive insights into how one of the most sophisticated attacks on an ICS system to date was developed and how it could be detected during and post exploitation. This is important information for anyone seeking to secure critical infrastructure.