Abstract image of a woman sitting on books and studying on a laptop

TRISIS in Perspective

Download as PPTX, PDF
Dragos, Inc., profile picture
Dragos, Inc.

The document discusses the Trisis malware attack on a safety system at a gas facility in Saudi Arabia in 2017, highlighting its impact and the ongoing threat from the Xenotime group which has expanded its targeting. It offers defensive recommendations for industrial control systems (ICS), emphasizing the importance of monitoring, isolation, and robust network defenses against cyber threats. Additionally, it stresses the need for effective incident response capabilities, including forensic analysis and system recovery planning.

Technology
1 of 16
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
TRISIS in Perspective Implications of Safety System Attacks for ICS Defenders
Place Your Header Here in Arial 22pt Place Subtitle Here Agenda • TRISIS Event • TRISIS Malware • XENOTIME Activity Group • Defensive Recommendations
TRISIS Event Unspecified gas facility in Saudi Arabia attacked in August 2017. Infection resulted in system shutdown during the intrusion. Not assessed as a shutdown due to an attack (accidental). Attack focused on Schneider Electric Triconex Safety System (SIS).
TRISIS Attack Progression Establish Access on SIS- Connecting System Transfer TRISIS Package to System Use TRISIS Base EXE to Upload Tristation Program Tristation Program Compromises SIS Leverage Access for ICS Disruption via SIS
Establish Access on SIS- Connecting System Transfer TRISIS Package to System Use TRISIS Base EXE to Upload Tristation Program Tristation Program Compromises SIS Leverage Access for ICS Disruption via SIS TRISIS Attack - Observed Something breaks here! (maybe)
TRISIS Malware exploits and installs rootkit on SIS Engineering Workstation LIBRARY.ZIP + TRILOG.EXE SIS INJECT.BIN IMAIN.BIN
TRISIS Activity Group: XENOTIME Deliberate targeting of SIS accepts risk of physical damage and potential loss of life. New ‘norm’ established in ICS targeting and operations. Post-TRISIS, we have observed that XENOTIME has expanded its targeting to North America and other safety systems. XENOTIME isn’t simply a problem for Schneider Triconex customers.
ICS Cyber Kill Chain – Focus on Stage 2
SIS Connectivity – Isolation isn’t always possible Increasing connectivity requirements results in SIS connectivity to general network. Yokogawa ProSafe-RS recommends that SIS connected to rest of network. Honeywell Safety Manager docs provide similar guidance.
Border Defense – Stopping Stage 2 • Look for Credential Theft and Re-Use. • Remote logon activity should route through a hardened jump host for better monitoring. • If not possible, implement host-based logging visibility on border hosts from IT to ICS along with network monitoring host to host. • File Monitoring • Unknown ICS malware will often evade AV (known limitation). • AV effective for supplementary tools like Mimikatz. • Open source: Bro + Yara for files of interest crossing border. • Command and Control Detection – outbound activity from ICS
ICS Network Defense – Choke Points and Pivoting • Following initial access, attacker must pivot through network to reach host of interest. • Architectural decisions can limit adversary freedom of movement. • Treat choke points like IT-ICS boundary. • Most effective: physical/virtual LAN segmentation. Install taps for better visibility.
SIS Monitoring and Defense • Assumption: adversary has breached network and has access to SIS. • Harden SIS-Connected hosts, such as EWS, to the greatest extent possible. • Patching • Limit local and admin accounts as well as remote access. • Logging (Sysmon, Windows event log) • Treat SIS-connected hosts as a choke point. • Physical Defense: Isolate as much as possible. Use keyswitch-like controls. • Monitor Traffic Flow to SIS. • Organizational awareness of known maintenance periods
SIS Response and Recovery – Plan Ahead • Forensics and Root Cause Analysis • TRISIS victim was able to determine a cyber event was involved in plant shutdown. This is often overlooked. • Assess capability to obtain forensics artifacts from the SIS. e.g. Control Program Audits • Ensure robust forensic capability on SIS-connected devices, to enable determination of cyber involvement. • System Restoration and Recovery • Known Good configuration secure backups (firmware if possible) • Develop response plan. Engage Vendor contacts early.
Start Now with SIS Defense XENOTIME is still learning. The playing field is level, so we have time for designing defense. Questions?
Sources and References • Yokogawa SIS Prosafe-RS Documenation https://tinyurl.com/ybtkwxfw • Honeywell Safety Manager Specifications and Technical Data https://tinyurl.com/yde2tgwy • The Bro Network Security Monitor https://www.bro.org/ • Yara: The Pattern Matching Swiss Knife for Malware Researchers https://virustotal.github.io/yara/ • Sysmon – Microsoft https://tinyurl.com/y9bcgolz
Sources and References • Windows Security Event ID 4624 https://tinyurl.com/zaklujy • TRISIS – Initial Release https://dragos.com/blog/trisis/ • TRISIS and Xenotime webinars: Analyzing TRISIS – Reid Wightman & Jimmy Wylie XENOTIME and SIS – Joe Slowik https://dragos.com/webinars.html

More Related Content

PDF
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
PDF
How to Respond to Industrial Intrusions
Dragos, Inc.
 
PDF
Behavior-Based Defense in ICS
Dragos, Inc.
 
PPTX
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
PPTX
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
PPTX
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
PDF
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
PPTX
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
How to Respond to Industrial Intrusions
Dragos, Inc.
 
Behavior-Based Defense in ICS
Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 

What's hot (20)

PPTX
Dragos year in review (yir) 2018
Dragos, Inc.
 
PDF
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
PPTX
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
PPTX
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
PDF
The Current ICS Threat Landscape
Dragos, Inc.
 
PPTX
Dressing up the ICS Kill Chain
Dragos, Inc.
 
PDF
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
PPTX
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
PPTX
Securing Electric Utility Infrastructure
Dragos, Inc.
 
PDF
Kofax Document Security
Kofax
 
PPTX
Neighborhood Keeper - Introduction
Dragos, Inc.
 
PDF
Security Starts at the Endpoint
Elasticsearch
 
PDF
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
PPTX
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
PPTX
Incident response live demo slides final
AlienVault
 
PDF
Kaspersky Lab new Enterprise Portfolio
Kaspersky
 
PDF
Consequence Informed Cyber Security
Dragos, Inc.
 
PPTX
Supply Chain Threats to the US Energy Sector
Kaspersky
 
PDF
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
PDF
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky
 
Dragos year in review (yir) 2018
Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
The Current ICS Threat Landscape
Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
Securing Electric Utility Infrastructure
Dragos, Inc.
 
Kofax Document Security
Kofax
 
Neighborhood Keeper - Introduction
Dragos, Inc.
 
Security Starts at the Endpoint
Elasticsearch
 
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Incident response live demo slides final
AlienVault
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky
 
Consequence Informed Cyber Security
Dragos, Inc.
 
Supply Chain Threats to the US Energy Sector
Kaspersky
 
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky
 
Ad

Similar to TRISIS in Perspective (20)

PDF
Securing Industrial Control System
Hemanth M
 
PDF
Web Server Security Guidelines
webhostingguy
 
PPTX
CSO CXO Series Breakfast
CSO_Presentations
 
PDF
Cybersecurity Practices for Industrial Control Systems
holloworangutanxjej
 
PDF
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
PDF
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
PROFIBUS and PROFINET InternationaI - PI UK
 
PDF
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
PPTX
ch03.pptx
HaipengCai1
 
PDF
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
PPTX
Dcit 418-Slide two presentation (1).pptx
kojokoranteng19
 
PDF
Ccna sec 01
EduclentMegasoftel
 
PDF
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
Paul F. Roberts
 
PDF
Pervasive Security Across Your Extended Network
Cisco Security
 
PDF
Cisco Connect 2018 Thailand - Secure data center building a secure zero trust...
NetworkCollaborators
 
PDF
ICS security
Ahmed Shitta
 
ODP
Cloud Computing
Commit Software Sh.p.k.
 
PPT
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
PDF
Network security
Sri Manakula Vinayagar Engineering College
 
PDF
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
PDF
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
Securing Industrial Control System
Hemanth M
 
Web Server Security Guidelines
webhostingguy
 
CSO CXO Series Breakfast
CSO_Presentations
 
Cybersecurity Practices for Industrial Control Systems
holloworangutanxjej
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
PROFIBUS and PROFINET InternationaI - PI UK
 
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
ch03.pptx
HaipengCai1
 
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Dcit 418-Slide two presentation (1).pptx
kojokoranteng19
 
Ccna sec 01
EduclentMegasoftel
 
John Walsh, Sypris on Cyber Physical Systems - Boston SECoT MeetUp 2015
Paul F. Roberts
 
Pervasive Security Across Your Extended Network
Cisco Security
 
Cisco Connect 2018 Thailand - Secure data center building a secure zero trust...
NetworkCollaborators
 
ICS security
Ahmed Shitta
 
Cloud Computing
Commit Software Sh.p.k.
 
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Network security
Sri Manakula Vinayagar Engineering College
 
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
Ad

More from Dragos, Inc. (11)

PPTX
Dragos 2019 ICS Year in Review
Dragos, Inc.
 
PPTX
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
PPTX
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos, Inc.
 
PDF
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
PPTX
Purple Teaming ICS Networks
Dragos, Inc.
 
PDF
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
PPTX
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
PPTX
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
PDF
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Dragos, Inc.
 
PDF
Threat Activity Groups - Dragos
Dragos, Inc.
 
PDF
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Dragos 2019 ICS Year in Review
Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
Purple Teaming ICS Networks
Dragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Dragos, Inc.
 
Threat Activity Groups - Dragos
Dragos, Inc.
 
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 

Recently uploaded (20)

PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Configure Apache Mutual Authentication
Antonino Piraino
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
Five Habits of High-Impact Board Members
OnBoard
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 

TRISIS in Perspective

  • 1. TRISIS in Perspective Implications of Safety System Attacks for ICS Defenders
  • 2. Place Your Header Here in Arial 22pt Place Subtitle Here Agenda • TRISIS Event • TRISIS Malware • XENOTIME Activity Group • Defensive Recommendations
  • 3. TRISIS Event Unspecified gas facility in Saudi Arabia attacked in August 2017. Infection resulted in system shutdown during the intrusion. Not assessed as a shutdown due to an attack (accidental). Attack focused on Schneider Electric Triconex Safety System (SIS).
  • 4. TRISIS Attack Progression Establish Access on SIS- Connecting System Transfer TRISIS Package to System Use TRISIS Base EXE to Upload Tristation Program Tristation Program Compromises SIS Leverage Access for ICS Disruption via SIS
  • 5. Establish Access on SIS- Connecting System Transfer TRISIS Package to System Use TRISIS Base EXE to Upload Tristation Program Tristation Program Compromises SIS Leverage Access for ICS Disruption via SIS TRISIS Attack - Observed Something breaks here! (maybe)
  • 6. TRISIS Malware exploits and installs rootkit on SIS Engineering Workstation LIBRARY.ZIP + TRILOG.EXE SIS INJECT.BIN IMAIN.BIN
  • 7. TRISIS Activity Group: XENOTIME Deliberate targeting of SIS accepts risk of physical damage and potential loss of life. New ‘norm’ established in ICS targeting and operations. Post-TRISIS, we have observed that XENOTIME has expanded its targeting to North America and other safety systems. XENOTIME isn’t simply a problem for Schneider Triconex customers.
  • 8. ICS Cyber Kill Chain – Focus on Stage 2
  • 9. SIS Connectivity – Isolation isn’t always possible Increasing connectivity requirements results in SIS connectivity to general network. Yokogawa ProSafe-RS recommends that SIS connected to rest of network. Honeywell Safety Manager docs provide similar guidance.
  • 10. Border Defense – Stopping Stage 2 • Look for Credential Theft and Re-Use. • Remote logon activity should route through a hardened jump host for better monitoring. • If not possible, implement host-based logging visibility on border hosts from IT to ICS along with network monitoring host to host. • File Monitoring • Unknown ICS malware will often evade AV (known limitation). • AV effective for supplementary tools like Mimikatz. • Open source: Bro + Yara for files of interest crossing border. • Command and Control Detection – outbound activity from ICS
  • 11. ICS Network Defense – Choke Points and Pivoting • Following initial access, attacker must pivot through network to reach host of interest. • Architectural decisions can limit adversary freedom of movement. • Treat choke points like IT-ICS boundary. • Most effective: physical/virtual LAN segmentation. Install taps for better visibility.
  • 12. SIS Monitoring and Defense • Assumption: adversary has breached network and has access to SIS. • Harden SIS-Connected hosts, such as EWS, to the greatest extent possible. • Patching • Limit local and admin accounts as well as remote access. • Logging (Sysmon, Windows event log) • Treat SIS-connected hosts as a choke point. • Physical Defense: Isolate as much as possible. Use keyswitch-like controls. • Monitor Traffic Flow to SIS. • Organizational awareness of known maintenance periods
  • 13. SIS Response and Recovery – Plan Ahead • Forensics and Root Cause Analysis • TRISIS victim was able to determine a cyber event was involved in plant shutdown. This is often overlooked. • Assess capability to obtain forensics artifacts from the SIS. e.g. Control Program Audits • Ensure robust forensic capability on SIS-connected devices, to enable determination of cyber involvement. • System Restoration and Recovery • Known Good configuration secure backups (firmware if possible) • Develop response plan. Engage Vendor contacts early.
  • 14. Start Now with SIS Defense XENOTIME is still learning. The playing field is level, so we have time for designing defense. Questions?
  • 15. Sources and References • Yokogawa SIS Prosafe-RS Documenation https://tinyurl.com/ybtkwxfw • Honeywell Safety Manager Specifications and Technical Data https://tinyurl.com/yde2tgwy • The Bro Network Security Monitor https://www.bro.org/ • Yara: The Pattern Matching Swiss Knife for Malware Researchers https://virustotal.github.io/yara/ • Sysmon – Microsoft https://tinyurl.com/y9bcgolz
  • 16. Sources and References • Windows Security Event ID 4624 https://tinyurl.com/zaklujy • TRISIS – Initial Release https://dragos.com/blog/trisis/ • TRISIS and Xenotime webinars: Analyzing TRISIS – Reid Wightman & Jimmy Wylie XENOTIME and SIS – Joe Slowik https://dragos.com/webinars.html