Cyber Skills Training at SANS Miami 2019. Choose from Eight Courses and Save $350 thru 11/28.


To attend this webcast, login to your SANS Account or create your Account.

Anatomy of the TRITON ICS Cyberattack

  • Friday, March 30th, 2018 at 1:00 PM EDT (17:00:00 UTC)
  • Justin Searle and Phil Neray


  • CyberX

You can now attend the webcast using your mobile device!


An industry game-changer, the TRITON ICS cyberattack exhibited an entirely new level of Stuxnet-like sophistication. In particular, the attackers exploited a zero-day in the PLC firmware in order to inject a Remote Access Trojan (RAT) with escalated privileges into the controller itself.

Moreover, the attackers cleverly inserted the backdoor into the controller's firmware memory region without interrupting its normal operation and without being detected.

TRITON exposed yet another breed of ICS systems that attackers can now target to compromise industrial operations, the physical safety control systems or Safety Instrumented Systems (SIS) that provide automatic emergency shutdown of plant processes, such as an oil refinery process that exceeds safe temperatures or pressures.

The likely intent of such an approach would be to disable the safety system in order to lay the groundwork for a 2nd cyberattack that would cause catastrophic damage to the facility itself, potentially causing large-scale environmental damage and loss of human life.

Although TRITON was a targeted attack specifically designed to compromise a particular model and firmware revision level of SIS devices manufactured by Schneider Electric, the tradecraft exhibited by the attackers is now available to other adversaries who can quickly learn from it to design similar malware attacking a broader range of environments and controller types.

In this educational SANS webinar led by Justin Searle, Director of ICS Security at InGuardians and a senior SANS instructor since 2011, and Phil Neray, VP of Industrial Cybersecurity at CyberX, the ICS security company founded by military cyber experts with nation-state expertise defending critical infrastructure, you'll learn about:

·       The technical architecture of the TRITON malware

·       Threat models showing how the attackers could have compromised the engineering workstation

·       How to implement a multi-layered active defense to defend against similar attacks in the future

Speaker Bios

Justin Searle

Mr. Searle is Director of Industrial Control Systems (ICS) Security at InGuardians, an independent information security consulting company providing high-value services including penetration testing, security assessments, threat hunting, and incident response. He is also a Senior Instructor for the SANS Institute, having taught core ICS security courses including  “ICS/SCADA Security Essentials” and “Assessing and Exploiting Control Systems.” Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR).

Phil Neray

Phil is the VP of Industrial Cybersecurity for CyberX. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a 1st Degree Black Belt in American Jiu Jitsu.


About CyberX

Founded in 2013 by military cyber-experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed platform for continuously reducing ICS and IIoT risk. CyberX is a member of the Palo Alto Networks Application Framework developer community and the IBM Security App Exchange Community, and has integrated with CyberArk for secure remote access. CyberX has also partnered with premier solution providers worldwide including Optiv Security and Deutsche-Telekom/T-Systems.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.