Anatomy of the TRITON ICS Cyberattack

  • Webcast Aired Friday, 30 Mar 2018 1:00PM EDT (30 Mar 2018 17:00 UTC)
  • Speakers: Justin Searle, Phil Neray

Industrial IoT (IIoT) - What are the biggest threats and how are you dealing with them? Take the SANS Industrial IoT Survey and enter to win a $400 Amazon gift card.

An industry game-changer, the TRITON ICS cyberattack exhibited an entirely new level of Stuxnet-like sophistication. In particular, the attackers exploited a zero-day in the PLC firmware in order to inject a Remote Access Trojan (RAT) with escalated privileges into the controller itself.

Moreover, the attackers cleverly inserted the backdoor into the controller's firmware memory region without interrupting its normal operation ' and without being detected.

TRITON exposed yet another breed of ICS systems that attackers can now target to compromise industrial operations, the physical safety control systems ' or Safety Instrumented Systems (SIS) ' that provide automatic emergency shutdown of plant processes, such as an oil refinery process that exceeds safe temperatures or pressures.

The likely intent of such an approach would be to disable the safety system in order to lay the groundwork for a 2nd cyberattack that would cause catastrophic damage to the facility itself, potentially causing large-scale environmental damage and loss of human life.

Although TRITON was a targeted attack specifically designed to compromise a particular model and firmware revision level of SIS devices manufactured by Schneider Electric, the tradecraft exhibited by the attackers is now available to other adversaries ' who can quickly learn from it to design similar malware attacking a broader range of environments and controller types.

In this educational SANS webinar led by Justin Searle, Director of ICS Security at InGuardians and a senior SANS instructor since 2011, and Phil Neray, VP of Industrial Cybersecurity at CyberX, the ICS security company founded by military cyber experts with nation-state expertise defending critical infrastructure, you'll learn about:

- - The technical architecture of the TRITON malware

- - Threat models showing how the attackers could have compromised the engineering workstation

- - How to implement a multi-layered active defense to defend against similar attacks in the future