The Triton (also known as Trisis or HatMan) incident marked a pivotal escalationin industrial cyber warfare by specifically targeting Safety Instrumented Systems(SIS), which are designed to protect human life and prevent plant disasters.

Discovered at a Saudi Arabian petrochemical plant in 2017, the malware washighly sophisticated, leveraging proprietary protocol knowledge (TriStation) tocommunicate with and manipulate Schneider Electric’s Triconex SIS controllers.

While the exact initial vector remains unknown, it is suspected to have begunwith a remote access breach or a phishing campaign that enabled the attacker tomove laterally from the IT or general access network into the highly sensitive SISnetwork. The malware was designed to inject shellcode and manipulate systemmemory, giving the attackers complete control over safety mechanisms.

Fortunately, the attack was thwarted when an accidental shutdown triggered aninvestigation, but the intent was clear: to bypass safety controls and potentiallycause physical destruction or explosion.

The Triton attack underscores that specialized, proprietary protocols operatingon sensitive networks must be safeguarded beyond simple segmentation. Thevulnerability was the implicit trust within the OT network, which allowed theattacker, once lateral access was achieved, to map and communicate with theSIS controllers.

BlastWave implements a network overlay that ensures the critical Triconexcontroller ports are invisible and entirely unreachable to any endpoint that doesnot meet the precise, identity-defined policy. This means that even if an attackergains internal network access, they cannot perform the necessary reconnaissance or establish the communication link required to deploy the Triton malwareor communicate via the TriStation protocol.