lecture: Analyzing TRISIS - the first Safety Instrumented System malware
Struggles in Reverse Engineering
Discovery of TRISIS/TRITON was a landmark event in the Industrical Control Systems (ICS) security community. It is the the fifth known ICS-specific malware (following STUXNET, HAVEX, BLACKENERGY2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS and its implications, but technical deep-dives of TRISIS, specifically the binary payloads are scarce.
TRISIS is a complex piece of malware and analyzing the attack requires a blend of both hardware and software reverse engineering. In this discussion, we will explain our approach to analyzing this sample and at the same time, provide a detailed walkthrough of TRISIS with a focus on the PowerPC payloads and relevant portions of the Triconex firmware. Further, we will discuss the impact