Dragos, Inc., profile picture
Uploaded byDragos, Inc.
PPTX, PDF708 views

TRISIS in Perspective

The document discusses the Trisis malware attack on a safety system at a gas facility in Saudi Arabia in 2017, highlighting its impact and the ongoing threat from the Xenotime group which has expanded its targeting. It offers defensive recommendations for industrial control systems (ICS), emphasizing the importance of monitoring, isolation, and robust network defenses against cyber threats. Additionally, it stresses the need for effective incident response capabilities, including forensic analysis and system recovery planning.

Embed presentation

Downloaded 20 times
TRISIS in Perspective Implications of Safety System Attacks for ICS Defenders
Place Your Header Here in Arial 22pt Place Subtitle Here Agenda • TRISIS Event • TRISIS Malware • XENOTIME Activity Group • Defensive Recommendations
TRISIS Event Unspecified gas facility in Saudi Arabia attacked in August 2017. Infection resulted in system shutdown during the intrusion. Not assessed as a shutdown due to an attack (accidental). Attack focused on Schneider Electric Triconex Safety System (SIS).
TRISIS Attack Progression Establish Access on SIS- Connecting System Transfer TRISIS Package to System Use TRISIS Base EXE to Upload Tristation Program Tristation Program Compromises SIS Leverage Access for ICS Disruption via SIS
Establish Access on SIS- Connecting System Transfer TRISIS Package to System Use TRISIS Base EXE to Upload Tristation Program Tristation Program Compromises SIS Leverage Access for ICS Disruption via SIS TRISIS Attack - Observed Something breaks here! (maybe)
TRISIS Malware exploits and installs rootkit on SIS Engineering Workstation LIBRARY.ZIP + TRILOG.EXE SIS INJECT.BIN IMAIN.BIN
TRISIS Activity Group: XENOTIME Deliberate targeting of SIS accepts risk of physical damage and potential loss of life. New ‘norm’ established in ICS targeting and operations. Post-TRISIS, we have observed that XENOTIME has expanded its targeting to North America and other safety systems. XENOTIME isn’t simply a problem for Schneider Triconex customers.
ICS Cyber Kill Chain – Focus on Stage 2
SIS Connectivity – Isolation isn’t always possible Increasing connectivity requirements results in SIS connectivity to general network. Yokogawa ProSafe-RS recommends that SIS connected to rest of network. Honeywell Safety Manager docs provide similar guidance.
Border Defense – Stopping Stage 2 • Look for Credential Theft and Re-Use. • Remote logon activity should route through a hardened jump host for better monitoring. • If not possible, implement host-based logging visibility on border hosts from IT to ICS along with network monitoring host to host. • File Monitoring • Unknown ICS malware will often evade AV (known limitation). • AV effective for supplementary tools like Mimikatz. • Open source: Bro + Yara for files of interest crossing border. • Command and Control Detection – outbound activity from ICS
ICS Network Defense – Choke Points and Pivoting • Following initial access, attacker must pivot through network to reach host of interest. • Architectural decisions can limit adversary freedom of movement. • Treat choke points like IT-ICS boundary. • Most effective: physical/virtual LAN segmentation. Install taps for better visibility.
SIS Monitoring and Defense • Assumption: adversary has breached network and has access to SIS. • Harden SIS-Connected hosts, such as EWS, to the greatest extent possible. • Patching • Limit local and admin accounts as well as remote access. • Logging (Sysmon, Windows event log) • Treat SIS-connected hosts as a choke point. • Physical Defense: Isolate as much as possible. Use keyswitch-like controls. • Monitor Traffic Flow to SIS. • Organizational awareness of known maintenance periods
SIS Response and Recovery – Plan Ahead • Forensics and Root Cause Analysis • TRISIS victim was able to determine a cyber event was involved in plant shutdown. This is often overlooked. • Assess capability to obtain forensics artifacts from the SIS. e.g. Control Program Audits • Ensure robust forensic capability on SIS-connected devices, to enable determination of cyber involvement. • System Restoration and Recovery • Known Good configuration secure backups (firmware if possible) • Develop response plan. Engage Vendor contacts early.
Start Now with SIS Defense XENOTIME is still learning. The playing field is level, so we have time for designing defense. Questions?
Sources and References • Yokogawa SIS Prosafe-RS Documenation https://tinyurl.com/ybtkwxfw • Honeywell Safety Manager Specifications and Technical Data https://tinyurl.com/yde2tgwy • The Bro Network Security Monitor https://www.bro.org/ • Yara: The Pattern Matching Swiss Knife for Malware Researchers https://virustotal.github.io/yara/ • Sysmon – Microsoft https://tinyurl.com/y9bcgolz
Sources and References • Windows Security Event ID 4624 https://tinyurl.com/zaklujy • TRISIS – Initial Release https://dragos.com/blog/trisis/ • TRISIS and Xenotime webinars: Analyzing TRISIS – Reid Wightman & Jimmy Wylie XENOTIME and SIS – Joe Slowik https://dragos.com/webinars.html

More Related Content

PDF
Trisis in Perspective: Implications for ICS Defenders
byDragos, Inc.
 
PDF
How to Respond to Industrial Intrusions
byDragos, Inc.
 
PPTX
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
byDragos, Inc.
 
PDF
Dragos and CyberWire: ICS Ransomware
byDragos, Inc.
 
PPTX
The Four Types of Threat Detection and Use Cases in Industrial Security
byDragos, Inc.
 
PDF
Behavior-Based Defense in ICS
byDragos, Inc.
 
PPTX
How to Increase ICS Cybersecurity Return on Investment (ROI)
byDragos, Inc.
 
PPTX
Debunking the Hacker Hype: The Reality of Widespread Blackouts
byDragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
byDragos, Inc.
 
How to Respond to Industrial Intrusions
byDragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
byDragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
byDragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
byDragos, Inc.
 
Behavior-Based Defense in ICS
byDragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
byDragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
byDragos, Inc.
 

What's hot

PDF
Vulnerability Management – Opportunities and Challenges!
byOutpost24
 
PDF
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
byDragos, Inc.
 
PPTX
Dragos year in review (yir) 2018
byDragos, Inc.
 
PDF
The Current ICS Threat Landscape
byDragos, Inc.
 
PPTX
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
byDragos, Inc.
 
PPTX
Securing Electric Utility Infrastructure
byDragos, Inc.
 
PDF
Consequence Informed Cyber Security
byDragos, Inc.
 
PDF
Kaspersky Lab new Enterprise Portfolio
byKaspersky
 
PDF
Industrial Control Systems Cybersecurity Technology Selection
byDragos, Inc.
 
PPTX
Dressing up the ICS Kill Chain
byDragos, Inc.
 
PPTX
Neighborhood Keeper - Introduction
byDragos, Inc.
 
PPTX
PLC Virtualization Dragos S4 2019
byDragos, Inc.
 
PDF
Kofax Document Security
byKofax
 
PPTX
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
byDragos, Inc.
 
PPTX
Solving ICS Cybersecurity Challenges in the Electric Industry
byDragos, Inc.
 
PDF
You can't detect what you can't see illuminating the entire kill chain
byFidelis Cybersecurity
 
PDF
Security Starts at the Endpoint
byElasticsearch
 
PPTX
Supply Chain Threats to the US Energy Sector
byKaspersky
 
PDF
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
byKaspersky
 
PPTX
Incident response live demo slides final
byAlienVault
 
Vulnerability Management – Opportunities and Challenges!
byOutpost24
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
byDragos, Inc.
 
Dragos year in review (yir) 2018
byDragos, Inc.
 
The Current ICS Threat Landscape
byDragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
byDragos, Inc.
 
Securing Electric Utility Infrastructure
byDragos, Inc.
 
Consequence Informed Cyber Security
byDragos, Inc.
 
Kaspersky Lab new Enterprise Portfolio
byKaspersky
 
Industrial Control Systems Cybersecurity Technology Selection
byDragos, Inc.
 
Dressing up the ICS Kill Chain
byDragos, Inc.
 
Neighborhood Keeper - Introduction
byDragos, Inc.
 
PLC Virtualization Dragos S4 2019
byDragos, Inc.
 
Kofax Document Security
byKofax
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
byDragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
byDragos, Inc.
 
You can't detect what you can't see illuminating the entire kill chain
byFidelis Cybersecurity
 
Security Starts at the Endpoint
byElasticsearch
 
Supply Chain Threats to the US Energy Sector
byKaspersky
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
byKaspersky
 
Incident response live demo slides final
byAlienVault
 

Similar to TRISIS in Perspective

PDF
Mission Impact Assessment for Industrial Control Systems
byMarina Krotofil
 
PDF
Past and future of integrity based attacks in ics environments
byJoe Slowik
 
PDF
2021. Top Cyber News MAGAZINE Daniel Ehrenreich October 2021
byDr. Ludmila Morozova-Buss
 
PPTX
IDS+Honeypots Making Security Simple
byGregory Hanis
 
PDF
Mission kill process targeting in ics attacks
byJoe Slowik
 
PDF
Brochure network security-en
bysandeep1721
 
PPTX
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
byiQHub
 
PDF
Top Cyber News Magazine Daniel Ehrenreich
byTopCyberNewsMAGAZINE
 
PPTX
2018 Year in Review- ICS Threat Activity Groups
byDragos, Inc.
 
PDF
Intrusion Detection System: Spot Hackers Before 2026 | CyberPro Magazine
byCyberPro Magazine
 
PPTX
SANS Report: The State of Security in Control Systems Today
bySurfWatch Labs
 
PPTX
CNL Software - PSIM for Energy, Oil & Gas
byAdlan Hussain
 
PDF
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
byTI Safe
 
PDF
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
byAngeloluca Barba
 
PDF
Eximbank security presentation
bylaonap166
 
PDF
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
byTI Safe
 
PPTX
Cisco Network Insider: Three Ways to Secure your Network
byRobb Boyd
 
PDF
[CLASS 2014] Palestra Técnica - Alexandre Euclides
byTI Safe
 
PPTX
Presentation (3) cybersecurity wd imp.pptx
byYash Sharma
 
PDF
Industrial Control Security USA Sacramento California Oct 6/7
byJames Nesbitt
 
Mission Impact Assessment for Industrial Control Systems
byMarina Krotofil
 
Past and future of integrity based attacks in ics environments
byJoe Slowik
 
2021. Top Cyber News MAGAZINE Daniel Ehrenreich October 2021
byDr. Ludmila Morozova-Buss
 
IDS+Honeypots Making Security Simple
byGregory Hanis
 
Mission kill process targeting in ics attacks
byJoe Slowik
 
Brochure network security-en
bysandeep1721
 
THE STATE OF THE ICS CYBERSECURITY THREAT LANDSCAPE FOR DIGITAL OILFIELDS
byiQHub
 
Top Cyber News Magazine Daniel Ehrenreich
byTopCyberNewsMAGAZINE
 
2018 Year in Review- ICS Threat Activity Groups
byDragos, Inc.
 
Intrusion Detection System: Spot Hackers Before 2026 | CyberPro Magazine
byCyberPro Magazine
 
SANS Report: The State of Security in Control Systems Today
bySurfWatch Labs
 
CNL Software - PSIM for Energy, Oil & Gas
byAdlan Hussain
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
byTI Safe
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
byAngeloluca Barba
 
Eximbank security presentation
bylaonap166
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
byTI Safe
 
Cisco Network Insider: Three Ways to Secure your Network
byRobb Boyd
 
[CLASS 2014] Palestra Técnica - Alexandre Euclides
byTI Safe
 
Presentation (3) cybersecurity wd imp.pptx
byYash Sharma
 
Industrial Control Security USA Sacramento California Oct 6/7
byJames Nesbitt
 

More from Dragos, Inc.

PDF
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
byDragos, Inc.
 
PPTX
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
byDragos, Inc.
 
PPTX
Dragos 2019 ICS Year in Review
byDragos, Inc.
 
PPTX
Dragos S4x20: How to Build an OT Security Operations Center
byDragos, Inc.
 
PDF
TTPs for Threat hunting In Oil Refineries
byDragos, Inc.
 
PPTX
Purple Teaming ICS Networks
byDragos, Inc.
 
PDF
Threat Activity Groups - Dragos
byDragos, Inc.
 
PDF
Rising Cyber Escalation US Iran Russia ICS Threats and Response
byDragos, Inc.
 
PPTX
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
byDragos, Inc.
 
PDF
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
byDragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
byDragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
byDragos, Inc.
 
Dragos 2019 ICS Year in Review
byDragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
byDragos, Inc.
 
TTPs for Threat hunting In Oil Refineries
byDragos, Inc.
 
Purple Teaming ICS Networks
byDragos, Inc.
 
Threat Activity Groups - Dragos
byDragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
byDragos, Inc.
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
byDragos, Inc.
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
byDragos, Inc.
 

Recently uploaded

PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
The year in review - MarvelClient in 2025
bypanagenda
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 

TRISIS in Perspective

  • 1.
    TRISIS in Perspective Implicationsof Safety System Attacks for ICS Defenders
  • 2.
    Place Your HeaderHere in Arial 22pt Place Subtitle Here Agenda • TRISIS Event • TRISIS Malware • XENOTIME Activity Group • Defensive Recommendations
  • 3.
    TRISIS Event Unspecified gasfacility in Saudi Arabia attacked in August 2017. Infection resulted in system shutdown during the intrusion. Not assessed as a shutdown due to an attack (accidental). Attack focused on Schneider Electric Triconex Safety System (SIS).
  • 4.
    TRISIS Attack Progression Establish Accesson SIS- Connecting System Transfer TRISIS Package to System Use TRISIS Base EXE to Upload Tristation Program Tristation Program Compromises SIS Leverage Access for ICS Disruption via SIS
  • 5.
    Establish Access on SIS- Connecting System Transfer TRISIS Package to System UseTRISIS Base EXE to Upload Tristation Program Tristation Program Compromises SIS Leverage Access for ICS Disruption via SIS TRISIS Attack - Observed Something breaks here! (maybe)
  • 6.
    TRISIS Malware exploitsand installs rootkit on SIS Engineering Workstation LIBRARY.ZIP + TRILOG.EXE SIS INJECT.BIN IMAIN.BIN
  • 7.
    TRISIS Activity Group:XENOTIME Deliberate targeting of SIS accepts risk of physical damage and potential loss of life. New ‘norm’ established in ICS targeting and operations. Post-TRISIS, we have observed that XENOTIME has expanded its targeting to North America and other safety systems. XENOTIME isn’t simply a problem for Schneider Triconex customers.
  • 8.
    ICS Cyber KillChain – Focus on Stage 2
  • 9.
    SIS Connectivity –Isolation isn’t always possible Increasing connectivity requirements results in SIS connectivity to general network. Yokogawa ProSafe-RS recommends that SIS connected to rest of network. Honeywell Safety Manager docs provide similar guidance.
  • 10.
    Border Defense –Stopping Stage 2 • Look for Credential Theft and Re-Use. • Remote logon activity should route through a hardened jump host for better monitoring. • If not possible, implement host-based logging visibility on border hosts from IT to ICS along with network monitoring host to host. • File Monitoring • Unknown ICS malware will often evade AV (known limitation). • AV effective for supplementary tools like Mimikatz. • Open source: Bro + Yara for files of interest crossing border. • Command and Control Detection – outbound activity from ICS
  • 11.
    ICS Network Defense– Choke Points and Pivoting • Following initial access, attacker must pivot through network to reach host of interest. • Architectural decisions can limit adversary freedom of movement. • Treat choke points like IT-ICS boundary. • Most effective: physical/virtual LAN segmentation. Install taps for better visibility.
  • 12.
    SIS Monitoring andDefense • Assumption: adversary has breached network and has access to SIS. • Harden SIS-Connected hosts, such as EWS, to the greatest extent possible. • Patching • Limit local and admin accounts as well as remote access. • Logging (Sysmon, Windows event log) • Treat SIS-connected hosts as a choke point. • Physical Defense: Isolate as much as possible. Use keyswitch-like controls. • Monitor Traffic Flow to SIS. • Organizational awareness of known maintenance periods
  • 13.
    SIS Response andRecovery – Plan Ahead • Forensics and Root Cause Analysis • TRISIS victim was able to determine a cyber event was involved in plant shutdown. This is often overlooked. • Assess capability to obtain forensics artifacts from the SIS. e.g. Control Program Audits • Ensure robust forensic capability on SIS-connected devices, to enable determination of cyber involvement. • System Restoration and Recovery • Known Good configuration secure backups (firmware if possible) • Develop response plan. Engage Vendor contacts early.
  • 14.
    Start Now withSIS Defense XENOTIME is still learning. The playing field is level, so we have time for designing defense. Questions?
  • 15.
    Sources and References •Yokogawa SIS Prosafe-RS Documenation https://tinyurl.com/ybtkwxfw • Honeywell Safety Manager Specifications and Technical Data https://tinyurl.com/yde2tgwy • The Bro Network Security Monitor https://www.bro.org/ • Yara: The Pattern Matching Swiss Knife for Malware Researchers https://virustotal.github.io/yara/ • Sysmon – Microsoft https://tinyurl.com/y9bcgolz
  • 16.
    Sources and References •Windows Security Event ID 4624 https://tinyurl.com/zaklujy • TRISIS – Initial Release https://dragos.com/blog/trisis/ • TRISIS and Xenotime webinars: Analyzing TRISIS – Reid Wightman & Jimmy Wylie XENOTIME and SIS – Joe Slowik https://dragos.com/webinars.html