ICS-targeting malware designed to disable safety instrumented systems at industrial facilities. Capable of causing catastrophic physical failures at energy infrastructure.
Triton targeted the Schneider Electric Triconex safety instrumented systems used in Saudi Aramco's Petro Rabigh facility, which were designed specifically to prevent industrial catastrophes such as explosions and fires. The malware's goal of disabling safety systems rather than directly sabotaging operations represents a sophisticated understanding of industrial processes where creating an uncontrolled condition is more destructive than direct equipment damage. The attack failed to cause a physical explosion only due to a bug in the malware code, and CISA has assessed that a similar attack on a US facility could cause mass casualties.
Attack on Saudi petrochemical facility 2017; targeted safety systems designed to prevent explosions
Triton was developed by a Russian state institute. The defensive response to Triton-class malware has driven investment in Claroty (private), Nozomi Networks (private), and Dragos (private) for industrial cybersecurity.