ICS Evaluation 2020
- Call For Participation
In mid-2017, a petrochemical facility in Saudi Arabia was discovered to have been the victim of a potentially disastrous cyber incident. This incident was dubbed TRITON  (aka TRISIS or HATMAN) due to its specific targeting of Triconex Safety Instrumented Systems (SIS). The SIS in question is responsible for providing safety monitoring to the facility’s operations, including oversight of the facility’s burner management system.
The TRITON event represents the first publicly reported incident demonstrating a targeted attack with a known effect to an operational SIS.  Information describing initial access and the subsequent pivot to the safety system assets remains largely unknown. While the group’s ultimate goals may still be uncovered, it has proven the capability to interact with and affect a targeted critical safety system.
The TRITON scenario demonstrated the capability to affect or otherwise compromise the safety monitoring functions present within the target facility. The threat group behind TRITON has shown specific motivations for targeting the oil and gas sector. With certainty, the threat group exhibited a deep understanding of the target system and environment. 
Notable ATT&CK tactics displayed in the TRITON scenario include execution, inhibition of response function, and impact. Specifically leveraging APIs and scripting for execution, the threat group was able to ultimately modify program state and control logic to achieve an impact of Loss of Safety. The threat group has also demonstrated prominent evasion capabilities in order to effectively masquerade its malicious behaviors.