Triton / Trisis
Malware found in a Saudi petrochemical plant did not target production. It targeted the safety system that exists to prevent an explosion.
In the summer of 2017, a petrochemical facility in Saudi Arabia shut down unexpectedly. The first investigation treated it as a mechanical fault. The plant restarted. Months later it shut down again. The second time, forensic investigators found malware on the engineering workstation that configured the plant's Triconex safety instrumented systems.
The last line of defense
A safety instrumented system, or SIS, is the component that exists to do exactly one thing: when process conditions exceed safe limits, bring the plant to a safe state — vent, depressurize, shut down — before anything catches fire or ruptures. It is, by design, independent of the normal control system precisely so that a failure of the control system cannot take the safety system with it.
The malware, named Triton (also Trisis), was written to reprogram these Triconex controllers. Researchers concluded the attackers' goal was to disable or subvert the safety system so that a separate, future manipulation of the process could proceed to physical catastrophe without the SIS intervening. The plant shutdowns appear to have been an accident — a bug in the attackers' own code that tripped the very safety controllers they were trying to compromise.
The US government later attributed Triton to a Russian state research institute.
What the chronicle remembers
Triton is the first known malware engineered specifically to target a safety instrumented system — the layer whose failure mode is not data loss but loss of life. It moved the worst-case scenario in industrial cybersecurity from "production stops" to "the thing that stops explosions stops working", and reshaped how SIS networks are isolated and monitored.