Malware & Spywarecritical

Triton/TRISIS: Malware Designed to Kill People by Disabling Safety Systems

Triton was the first publicly known malware specifically designed to disable Safety Instrumented Systems — industrial safety systems that prevent explosions and chemical releases. At a Saudi petrochemical plant, it very nearly caused a catastrophic physical accident.

Saudi Aramco Petrochemical Plant·2017·2 min read

Background

Safety Instrumented Systems (SIS) are independent safety layers in industrial facilities that automatically shut down processes when dangerous conditions are detected — preventing explosions, fires, and toxic releases. At a Saudi Aramco petrochemical plant in 2017, an attacker targeted the Triconex SIS made by Schneider Electric.

The Attack

Attackers — later attributed to Russia's CRYPT0N research institute — gained access to the plant's engineering workstation and deployed the Triton malware framework to reprogram Triconex SIS controllers. The attack caused two of the SIS controllers to enter a failed safe state, triggering a plant shutdown. Forensic investigation revealed the attackers had been attempting to put the SIS into a state where it would not respond to dangerous process conditions — setting the stage for a catastrophic accident if combined with a deliberate process disturbance. The SIS failed safe by accident, preventing the intended outcome.

Response

The plant owner hired FireEye/Mandiant for forensic investigation. FireEye published analysis (naming it TRITON) in December 2017. The US government attributed the attack to a Russian government research institute in 2022. Schneider Electric published security advisories. The ICS security community treated the attack as a watershed moment.

Outcome

The attack very nearly succeeded in disabling safety systems that protect workers and the surrounding population from industrial accidents. If the attack had not been accidentally detected (the SIS failed safe during the attack, which was actually the intended safe behaviour), the attacker could have subsequently caused a process incident with the safety system disabled.

Key Takeaways

  1. Safety Instrumented Systems must be completely isolated from all other networks — no exceptions, no compromise
  2. ICS/OT networks require dedicated security monitoring — IT security tools are insufficient for industrial environments
  3. Nation-states are developing malware specifically intended to cause physical harm to civilian populations
  4. Industrial safety systems are life-safety devices, not just compliance checkboxes
TritonTRISISsafety systemsICSpetrochemical

More in Malware & Spyware

2001critical

Code Red Worm Infects 359,000 Servers in 14 Hours

2 min readMalware & Spyware
2003critical

SQL Slammer: The Fastest-Spreading Worm in History

2 min readMalware & Spyware
2016critical

Mirai Botnet: IoT Devices Take Down the Internet's Infrastructure

2 min readMalware & Spyware