Choose from Seven Cyber Security Courses at SANS Atlanta 2018. Save $200 thru 4/25.

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

Anatomy of the TRITON ICS Cyberattack

  • Friday, March 30th, 2018 at 1:00 PM EDT (17:00:00 UTC)
  • Justin Searle and Phil Neray
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

Sponsor

  • CyberX

You can now attend the webcast using your mobile device!

Overview

Industrial IoT (IIoT) - What are the biggest threats and how are you dealing with them? Take the SANS Industrial IoT Survey and enter to win a $400 Amazon gift card.

An industry game-changer, the TRITON ICS cyberattack exhibited an entirely new level of Stuxnet-like sophistication. In particular, the attackers exploited a zero-day in the PLC firmware in order to inject a Remote Access Trojan (RAT) with escalated privileges into the controller itself.

Moreover, the attackers cleverly inserted the backdoor into the controller's firmware memory region without interrupting its normal operation and without being detected.

TRITON exposed yet another breed of ICS systems that attackers can now target to compromise industrial operations, the physical safety control systems or Safety Instrumented Systems (SIS) that provide automatic emergency shutdown of plant processes, such as an oil refinery process that exceeds safe temperatures or pressures.

The likely intent of such an approach would be to disable the safety system in order to lay the groundwork for a 2nd cyberattack that would cause catastrophic damage to the facility itself, potentially causing large-scale environmental damage and loss of human life.

Although TRITON was a targeted attack specifically designed to compromise a particular model and firmware revision level of SIS devices manufactured by Schneider Electric, the tradecraft exhibited by the attackers is now available to other adversaries who can quickly learn from it to design similar malware attacking a broader range of environments and controller types.

In this educational SANS webinar led by Justin Searle, Director of ICS Security at InGuardians and a senior SANS instructor since 2011, and Phil Neray, VP of Industrial Cybersecurity at CyberX, the ICS security company founded by military cyber experts with nation-state expertise defending critical infrastructure, you'll learn about:

·       The technical architecture of the TRITON malware

·       Threat models showing how the attackers could have compromised the engineering workstation

·       How to implement a multi-layered active defense to defend against similar attacks in the future

Speaker Bios

Justin Searle

Mr. Searle is Director of Industrial Control Systems (ICS) Security at InGuardians, an independent information security consulting company providing high-value services including penetration testing, security assessments, threat hunting, and incident response. He is also a Senior Instructor for the SANS Institute, having taught core ICS security courses including  “ICS/SCADA Security Essentials” and “Assessing and Exploiting Control Systems.” Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR).


Phil Neray

Phil is VP of Industrial Cybersecurity for CyberX, a Boston-based OT cybersecurity company founded in 2013 by military cyber experts with nation-state experience defending critical national infrastructure. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Guardium, Veracode, and Symantec. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a 1st Degree Black Belt in American Jiu Jitsu.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.