HIMA Security Advisory TRISIS/TRITON

At the end of 2017, the world's first successful hacker attack on a safety instrumented system (SIS) was discovered. Malware in a programming station (PC) modified older Triconex safety instrumented systems manufactured by Schneider Electric during ongoing operation. To do this, the programming station was manipulated in such a way that the usual programming function was used to exchange a user program fragment in the Triconex SIS. This modification put the SIS into a safe state. We suspect that the aim of the attack was more than to simply stop the SIS. Rather, it can be assumed that this was supposed to result in a crash. This malware is known as "TRISIS" or "TRITON" (hereafter referred to as "TRISIS").
Are HIMA products affected by TRISIS?
TRISIS has been very deliberately developed for a specific purpose. An analysis of the software has revealed that TRISIS specifically targets Triconex 3008 processors. Not even other Triconex customers are likely to be affected, let alone customers using SIS from other manufacturers. The analysis suggests that modifying the attack to infiltrate other SIS would be the same as redesigning the malware.

How can I tell if my HIMA controller has changed?
During the attack, code parts were selected in ongoing operation and were then modified and rewritten in the SIS. Since no code can be selected from the SIS in HIMA systems, the complete user program would have to be known, modified and reloaded into the SIS for a similar attack to occur. In the process, the checksum of the user program would change. Since this checksum for safety-related acceptance must be known and documented, it is easy to check for changes.

Is there a way around the read-only mode?

This would require there to be a so-called backdoor, for example some kind of "hidden developer access". A backdoor is not available for HIMA products. Access to HIMA systems during ongoing operation is only possible with the correct password, the correct port and authorized write access.

What support can HIMA offer?
HIMA documents all security-relevant settings and operating conditions in a cybersecurity manual. For this purpose, HIMA offers security training courses for the HIMA product range. In addition, HIMA offers a "Smart Safety Security Check" service, where safety installation is individually tested to ensure correct parameterization and is then optimized, if necessary. Furthermore, HIMA carries out security assessments on behalf of its customers.

How can HIMA ensure that HIMA systems cannot be compromised in the future?

HIMA has always been committed to high-quality developments because of its focus on safety. We always have these developments certified by an independent third party. In 2017, HIMA also obtained a cybersecurity certification for the HIMax system. At the same time, the existing processes for security were certified as well. These processes also ensure the best possible protection from risk of cyberattacks in the future.

How can you reduce the risk of malware spreading?
We recommend that you divide systems into various zones and to control their transitions (conduits) in order to deny unauthorized persons access. This affects both physical access and logical access via networks. The TRISIS attack clearly shows that safety systems, as the final layer of protection for functional safety, should be built separately from all other systems. Only in this way can the above-mentioned dedicated, controllable transitions (conduits) be created. This concept, where there are different levels of protection, is known as "Defense in Depth".

What can the industry learn from this attack?
Security must be taken more seriously in a safety environment. That does not mean you should panic. Rather, this circumstance proves that systematically using the technical and organizational possibilities that are currently available would have prevented this attack. This was not an attack on Triconex, but a wake-up call to the entire automation industry.
Where can I find more information?
The company Dragos created the initial detailed report on the matter. Most other reports are based on this. The report is publicly available at the following address:


If you have specific questions regarding your HIMA systems, please contact support(at)himaremove-this..com for technical questions and security(at)himaremove-this..com for issues concerning cybersecurity.

Your HIMA Contact