ICS Monitoring – Detect Potential TRITON/TRISIS Activity

Utilities with more mature monitoring capabilities may be interested in a new tool by Nozomi Networks, a Wireshark plug-in developed to detect TriStation protocol traffic on the network, the TriStation Protocol Plug-in for Wireshark. Wireshark, a widely used open source network packet analyzer commonly used for network troubleshooting and analysis, is extremely useful for advanced malware analysis, including detecting TRITON/TRISIS/HatMan activity. During plug-in development, Nozomi injected the TRITON malware into a Triconex SIS controller, and then analyzed the proprietary TriStation protocol. According to Nozomi, the TriStation Protocol Plug-in for Wireshark has been developed to help cyber security researchers and ICS operators dissect Safety Instrumented System (SIS) controller communications to help identify compromises and evaluate cybersecurity risks. Nozomi Networks.