The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.

Home  >  ICS TRITON Overview



ICS Evaluation 2021
  • Call For Participation
  • Evaluating
  • Preparing
  • Published
Scenario Description

In mid-2017, a petrochemical facility in Saudi Arabia was discovered to have been the victim of a potentially disastrous cyber incident. This incident was dubbed TRITON [1] (aka TRISIS or HATMAN) due to its specific targeting of Triconex Safety Instrumented Systems (SIS). The SIS in question is responsible for providing safety monitoring to the facility’s operations, including oversight of the facility’s burner management system.

The TRITON event represents the first publicly reported incident demonstrating a targeted attack with a known effect to an operational SIS. [2] Information describing initial access and the subsequent pivot to the safety system assets remains largely unknown. While the group’s ultimate goals may still be uncovered, it has proven the capability to interact with and affect a targeted critical safety system.

Scenario Characteristics

The TRITON scenario demonstrated the capability to affect or otherwise compromise the safety monitoring functions present within the target facility. The threat group behind TRITON has shown specific motivations for targeting the oil and gas sector. With certainty, the threat group exhibited a deep understanding of the target system and environment. [3]

Notable ATT&CK tactics displayed in the TRITON scenario include execution, inhibition of response function, and impact. Specifically leveraging APIs and scripting for execution, the threat group was able to ultimately modify program state and control logic to achieve an impact of Loss of Safety. The threat group has also demonstrated prominent evasion capabilities in order to effectively masquerade its malicious behaviors.


Operational Flow

TRITON Scenario: This scenario begins with an adversary accessing a burner management environment through an application server located within a shared DMZ between the corporate and ICS network. Following the initial compromise of a control engineering workstation access is expanded to a safety engineering workstation. As these hosts are compromised, persistence is established for covert remote access. Discovery and collection occur throughout the campaign to identify hosts, gather artifacts, ascertain process state, and generally inform decision making. Critical safety functions are disabled by the addition of malicious control logic to the safety system. These malicious additions inhibit the safety system’s ability to trip the process in unsafe states. With the safety system out of the way, the adversary manipulates the burner causing physical damage to the facility.

For details on the TRITON emulation please refer to the Operational Flow.

Technique Scope

For the TRITON evaluation, 17 ATT&CK techniques across 10 ATT&CK tactics are in. You can view the in-scope Techniques for the TRITON evaluation below:


The evaluation was performed in a MITRE Engenuity lab against an environment functioning as a burner management system. Control system components (i.e., PLCs), Windows host running ICS applications, and network infrastructure were physically implemented while the industrial equipment and physical processes were simulated. The burner management solution was designed and programmed by an integration company focused on the energy sector.

Vendors shipped a physical appliance with their detection solution installed on it. All the vendor appliances simultaneously received network traffic which was distributed by a network aggregator connected to the SPAN port of the environment’s switch. Windows event logs were centrally collected and then forwarded via syslog to each solution capable of collecting events in this fashion.

In addition, the opportunity to actively poll the PLCs for configuration changes (program and task modifications) was provided to vendors that offer this as a current feature of their solution. This was done outside of the execution phase as not to taint the network traffic collected by the other appliances.

VPN access enabled the vendors to connect remotely to their appliances for management and monitoring purposes throughout the various phases of the evaluation.

Detection Categories

Vendors use their own terminology and approaches to detect and protect potential adversary behavior. They provide this information to us in their unique way, and then it is our responsibility to abstract the data using categories to talk about the products in similar ways.

These categories are divided into two types: “Main” and “Modifier.” Each detection receives one main category designation, which relates to the amount of context provided to the user and may optionally receive one or more modifier category designations that help describe the event in more detail. For the TRITON evaluation, there are six main detection categories representing the amount of context provided to the analyst, and two modifier categories.

You can learn more about our process for processing detections here.

Learn More: Detection Categories Page

Additional Resources

The following links provide more context to this round: