When the lights turn on, the faucets work, and the trains run on time--that's a good day. Dragos exists to safeguard civilization.
Today, the Dragos, Inc. team is releasing a report titled TRISIS: Analyzing Safety System Targeted Malware. TRISIS is malware that was developed and deployed to at least one victim in the Middle East to target safety instrumented systems (SIS). Dragos, Inc. found and analyzed the malware last month and made sure our ICS WorldView customers were aware and prepared with proper defense recommendations. We did not make news of this malware public because it is in our policy not to be the first to disclose ICS targeted malware or threats. Our reasons for this revolve around the fact that releasing such information can have a blow back effect on the industrial community. ICS threats are commonly hyped up in the public and the asset owners and operators are hit with trying to deal with the consequences of that while also trying to gather how they will prepare and respond to the threat. Additionally, informing the public about the threat also reveals to the threat what we know and can help the adversary be more effective. This is a delicate balance though because there is value in informing the larger community for lessons learned and information sharing as well. This puts security vendors in a difficult choice at times where there is no right answer. Our choice though looking at the balance from our perspective is only to publicly talk about threats, even if we find them first in the community, after someone else talks about it or the information leaks to the public. This allows our reporting to focus on the “so what” factor and the nuance of the issue as well.
The key takeaways from the report and things to know about TRISIS:
The TRISIS malware is a very significant event for the community as the fifth ever ICS-tailored malware and the first to directly target SIS. It is a very bold attack while not technically complicated. The Dragos team intends for our report to ensure the proper nuance and recommendations to the community are captured. Our threat intelligence customers of our ICS WorldView reports can access the Dragos Intelligence Portal to get further information and technical details. We will continue to analyze and report out on this malware and its developments as well. Good luck to the community and always remember that defense is doable.
We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.