The secret #S4x19 talk on TRISIS (TRITON) is Julian who was an incident responder at Saudi Aramco who led the incident response (Aramco wasn’t the victim). He’s not revealing new info but is giving lessons learned from his first hand experience.

Notes there were multiple outages associated with TRISIS. First attack was June 2017 on a Saturday evening. One ESD controller impacted and DCS didn’t reflect the unsafe condition (quoting his slides).

Schneider checked the controller and didn’t identify the attack. Deemed it normal. Recommended restoring operations. Second outage occurred in 4th of August on Friday evening. Multiple controllers impacted across multiple phases of plant (six controllers).

DCS reflected normal operations.

Engineers reviewed and called in security. Identified suspicious traffic from IT network including RDP. Schneider got involved again and made recommendations (my comment: the recommendations such as AV scanning were not a good idea for forensics and IR).

At this time Julian’s team was called in from Aramco. Aramco did the incident response and focused on the six controllers and impacted area (my comment: IR without safety systems working in now hostile environment, kudos folks).

IR activities including network captures, system images, log analysis, etc. not ruling out insider threat. Scope expanded from ICS to DMZ to IT. Their analysis found Trilog.exe and a good timeline created that correlated with the ICS alarms.

Notes the attacks were complacent and had left files behind but later wiped them after IR started. Found unknown program (TRISIS) running in controllers memory as well. Security architecture at the site was not ideal (DMZ firewalls not configured well).

Attack entry deemed to be perimeter VPN. Logs showed attacker had been present for years (Dragos comment: tracked Xenotime active since at least 2014). Schneider gets involved again and was very willing to help and offer support.

Notes that the information flow was one way to Schneider though. The first analysis of the attack back from Schneider was on stage at S4 (my note: holy fuck).

Notes the victim contracted third party (my note: likely FireEye from what we know) which introduced challenges on negotiations and how to handle the data and analysis after.

(My note: engage IR firms before and negotiate SLAs. Get a retainer, do a TTX, talk about post incident communications).

Had to rebuild a lot of systems and restore ops across multiple environments and multiple vendors. Very costly.

Noted outage wasn’t the goal. Goal was manipulating safety logic. Plant was down over a week (extremely expensive), loss of product, recovery costs, etc.

Julian notes bad communication and culture between IT and OT teams encouraged variety of security hikes. The initial scope of the investigation in June was insufficient and should have caught the attack. No root cause analysis that include cybersecurity personnel.

Actions made by the ICS vendor during the incident put other assets at risk. Exposed admin credentials and assets in other domains

Key lesson: could have been detected and prevented much earlier. Logs and events and traffic analysis that would have made it obvious. SIS alarms and ongoing remote access as well.

Key Lesson: Operators saw alarms on ESD controllers in program mode but only had to acknowledge alarms once per day (audience audibly gasps and uncomfortable laugh)

Key Lesson: roles and responsibilities in IR not at all known ahead of time or practiced. Engaging vendors after and not coordinating before introduced issues.

Key Lesson: The plant on paper was well secured. Not audited well. Not monitoring well. Lots of false sense of security.

Key Lesson: “Beware your vendors” he notes “vendors may not have the same interest as you.” Very much calls out Schneider in a new development.

Key Lesson: “Get help before you need it.” Notes they should have had an outside IR retainer and done a threat hunt to be proactive. Better negotiations. Very subtly pokes FireEye on talking about the case publicly.

End of talk. Wow ok a lot to digest

Also one side of the story folks. But man