TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever (Black Hat Conference 2018)

In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity.

This analysis and presentation will cover:

- How the threat actors could have obtained the targeted equipment, firmware and documentation, based on our own experience,

- The level of resources (time, money, expertise) required to develop a sophisticated embedded implant like TRITON,

- The advanced methods used by the malware for a multi-stage injection of the backdoor into the controller of the Schneider Electric Triconex safety shutdown system, derived from both static and dynamic analysis of the code,

- A demo of how the TRITON malware executes on a running Triconex controller,

- Why did the attacker possibly failed to inject payload.

We will conclude with an appeal to vendors about the urgent need for equipment auditing and forensic tools. These tools must be developed before TRITON-like attacks become mass-scale and the time to start working on them is now; hacking is a fashion industry, as soon as a new exploitation technique becomes available, everybody jumps on the bandwagon.

This session will thus provide comprehensive insights into how one of the most sophisticated attacks on an ICS system to date was developed and how it could be detected during and post exploitation. This is important information for anyone seeking to secure critical infrastructure.


Andrea Carcano

Andrea Carcano is an expert in industrial network security, artificial intelligence and machine learning, and has published a number of academic papers on the subject. His passion for cybersecurity and solving the unique challenges around ICS became the focus of his PhD in Computer Science from the Università degli Studi dell'Insubria. Carcano worked on the European Commission Power Plant Security Program, was a Senior Security Engineer for global oil and gas supermajor Eni, and most recently (through his work at Nozomi Networks) developed software that detects intrusions to critical infrastructure control systems. In his current role at Nozomi Networks, Carcano is helping build a new generation of ICS Security products.

Marina Krotofil

Marina Krotofil is an experienced ICS/SCADA professional, who spent bigger chunk of the past decade on offensive Industrial Control Systems (ICS) security: discovering and weaponizing unique attack vectors, engineering damage scenarios and understanding attacker techniques when exploiting ICS. Marina offensive security skills serves her well during forensic investigations, ICS malware analysis and when engineering defenses. She previously worked as a Principal Analyst in Cyber-Physical group at FireEye (USA), Lead Cyber Security Researcher at Honeywell (USA) and as a Senior Security Consultant at the European Network for Cyber Security (Netherlands). Marina authored more than 20 academic and white papers on ICS security and is a frequent speaker at the leading security events around the world. She holds MBA in Technology Management, MSc in Telecommunication and MSc in Information and Communication Systems.

Younes Dragoni

Younes Dragoni is a member of Nozomi Networks research team where he is responsible for malware analysis and finding and analyzing vulnerabilities in automation devices (ICS/SCADA). Dragoni earned his Bachelor in Security of Systems and Computer Networks at the University of Milan. He is a member of the World Economic Forum's Global Shapers Community.

Detailed Presentation:

(Source: Black Hat USA 2018, Las Vegas)


Views: 84

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service