A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS

In 2017 a malware framework dubbed TRITON (also referred to as TRISIS or HatMan) was discovered targeting Schneider Electric Triconex safety controllers at a petrochemical plant in Saudi Arabia, potentially in order to cause physical damage. The framework included a multi-stage payload consisting of an installer and a backdoor implant for execution of additional code at a later point in time. What was missing, however, is the so-called Operational Technology (OT) payload implementing the actual logic that would aid in carrying out a cyber-physical attack.

In this talk we aim to shed some light on the process, efforts and challenges of constructing such implants and OT payloads. We will present the steps required to engineer a cyber-physical attack and illustrate them with example implementations of different attack routines including I/O spoofing, attack progress measurement, alarm relaxation & suppression as well as anti-forensics, implant stability and persistence measures.