Get unparalleled cyber security training from real-world practitioners in Miami. Save $300 today!

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

Anatomy of the TRITON ICS Cyberattack

  • Friday, March 30th, 2018 at 1:00 PM EDT (17:00:00 UTC)
  • Justin Searle and Phil Neray
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

Sponsor

  • CyberX

You can now attend the webcast using your mobile device!

Overview

Industrial IoT (IIoT) - What are the biggest threats and how are you dealing with them? Take the SANS Industrial IoT Survey and enter to win a $400 Amazon gift card.

An industry game-changer, the TRITON ICS cyberattack exhibited an entirely new level of Stuxnet-like sophistication. In particular, the attackers exploited a zero-day in the PLC firmware in order to inject a Remote Access Trojan (RAT) with escalated privileges into the controller itself.

Moreover, the attackers cleverly inserted the backdoor into the controller's firmware memory region without interrupting its normal operation and without being detected.

TRITON exposed yet another breed of ICS systems that attackers can now target to compromise industrial operations, the physical safety control systems or Safety Instrumented Systems (SIS) that provide automatic emergency shutdown of plant processes, such as an oil refinery process that exceeds safe temperatures or pressures.

The likely intent of such an approach would be to disable the safety system in order to lay the groundwork for a 2nd cyberattack that would cause catastrophic damage to the facility itself, potentially causing large-scale environmental damage and loss of human life.

Although TRITON was a targeted attack specifically designed to compromise a particular model and firmware revision level of SIS devices manufactured by Schneider Electric, the tradecraft exhibited by the attackers is now available to other adversaries who can quickly learn from it to design similar malware attacking a broader range of environments and controller types.

In this educational SANS webinar led by Justin Searle, Director of ICS Security at InGuardians and a senior SANS instructor since 2011, and Phil Neray, VP of Industrial Cybersecurity at CyberX, the ICS security company founded by military cyber experts with nation-state expertise defending critical infrastructure, you'll learn about:

·       The technical architecture of the TRITON malware

·       Threat models showing how the attackers could have compromised the engineering workstation

·       How to implement a multi-layered active defense to defend against similar attacks in the future

Speaker Bios

Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences. Mr. Searle is currently a Senior instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework (SamuraiWTF), the Samurai Security Testing Framework for Utilities (SamuraiSTFU), Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).


Phil Neray

Phil is the VP of Industrial Cybersecurity for CyberX, whose notable customers include 2 of the top 5 US energy providers; a top 5 US chemical company; a top 5 global pharmaceutical company; and national electric and gas utilities across Europe and Asia-Pacific. Prior to CyberX, Phil held executive roles at IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a 1st Degree Black Belt in American Jiu Jitsu.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.