You see it in the movies — evil hackers taking over nuclear plants and factories and setting off explosions.

In real life, attackers aren’t doing that.

But they’re inching closer.

Archer News Network’s Kerry Tomlinson gives you a front row seat — to see how cyber pirates are scaling the walls and trying to take control of the ship with a malware called Triton/Trisis.

Watch story here:


Closer to Reality

In the movie Blackhat, an evil hacker commandeers computers at a nuclear site and tries to blow it up.

In real life, a real cyber attacker just took a tiny step forward toward this kind of industrial invasion.

Researchers say attackers created malware to take over part of the safety system at a plant in the Middle East. Their report does not say what kind of plant was attacked, nor where it is located.

“Safety system is the last line of defense,” said Marina Krotofil, an analyst with cybersecurity company FireEye. “And for me personally, it’s worrisome. People working in the plant, people live around the plant.”


Krotofil and analyst K. Reid Wightman of cybersecurity company Dragos analyzed the unique and highly specialized malware.

“This is not something that Joe in his basement is going to cobble together and decide, ‘I’m going to write some malware for this thing,’” Wightman said. “I do have a belief that it’s at least somebody that’s well funded that wrote this.

A Triconex safety controller for an industrial plant. Image credit: Schneider Electric


Krotofil and Wightman spoke to Archer News at the S4 security conference in Miami about the malware that some call Triton, Trisis, Tri-X or HatMan.

“When I look through the cyber incident, I look through the eyes of the attacker,” Krotofil said. “If I were an attacker, how I would be doing that.”

How They Did It

First step — the target, in this case, a Triconix safety controller.

Safety controllers can tell if something is wrong in a plant, like too much pressure or temperatures too high.

It then sounds the alarm. 

“Safety controllers are these systems that are supposed to shut down a plant when safety conditions are detected,” said Wightman. “If they sense that an explosion might happen, they try to either release pressure or safely shut down the plant, basically.”

Triton/Trisis lodged itself onto a safety controller at the plant and took charge.

“It can basically override the base behavior of the whole system and change it into like a completely different kind of device,” Wightman explained.


This safety controller has a lock to prevent people from reprogramming the device. Image credit: FireEye


But it could do more damage as a safety controller with an evil secret.

Triton/Trisis could fake a safety problem so the plant shuts down, costing hundreds of thousands of dollars.

Or, if there were a real safety problem, Triton/Trisis could keep the safety controller quiet so no one knows the plant’s in trouble.

“The real danger would be if it shut off the safety system but nobody knew the safety system was shut off,” Wightman said.


In the Blackhat movie, the evil hacker hit the jackpot, causing a massive explosion.

In real life? 

Far from it, researchers said.

The Triton/Trisis attackers popped a safety controller but couldn’t do anything else to the rest of the plant.

“What it did to the victim was it shut off the safety controller which actually tripped their plant and caused their plant to shut down, which is a good outcome from all of this because it didn’t kill anyone,” said Wightman.

And researchers said attackers have a long, long way to go before they could get close. 

“It’s not like a piece of malware that can magically cause explosions,” Wightman told Archer News. “They wouldn’t just be able to just break into the safety system and cause an explosion. So, don’t panic.”


A closer look at a Triconex safety controller. Image credit: Schneider Electric



Still, there is concern about this new phase in industrial attacks. 

“Every criminal group has a manager that says, ‘Other criminal groups can do that. Why can you not do that?’” Krotofil said. “We will definitely see more of those, but, unfortunately, defenses are not growing as fast.”

Safety controllers aren’t like phones, where you can do a factory reset if something goes wrong, Wightman said.

“Is this thing as it should be from the factory? There’s no way to tell. So, if one piece of malware gets onto the controller, you really can’t tell if it’s been affected with one of these logic bombs or time bombs,” he said. “It could be running and there’s just no way to measure it and see if that’s the case.”

Steps to More Safety

Plants need to separate the safety controllers on their own network, researchers said, even locking them up to keep bad guys out. Plus, monitor the controllers to see what kind of info is going in and going out.

With these and other steps, plants can make sure hacker-caused plant explosions stay in Hollywood and not the real world.

“It was a very good wake up call,” said Krotofil. “And we should hope that we will not see a destructive attack using this strategy.”

“But yeah, we need to speed up the defenses,” she added. “And I think it’s a good, positive thing that we now have this pressure.”

The maker of Triconex safety controllers, Schneider Electric, put out a security notification about the malware.


Main image: Schneider Electric/Archer News Network