In 2017, TRITON malware successfully modified a safety instrumented system at a petrochemical facility. It was the first publicly confirmed attack on an SIS, and it should have triggered urgent industry-wide remediation. It did not. Today, most manufacturers have no real-time visibility into whether their safety systems are executing their intended logic.
Safety systems occupy a unique position in industrial networks. They are built to be resilient, hardened against accidental failure, and often air-gapped from corporate IT. That same isolation, however, creates a detection blind spot. If TRITON or a derivative gains access, there may be no alarms, no logs, and no early warning before a physical event occurs.
Why Safety Systems Remain Vulnerable
Most safety controllers use proprietary engineering tools that are tightly guarded by OEMs. Reverse-engineering an SIS to create detection signatures is slow and expensive. As a result, security teams often rely on network-level monitoring and access controls rather than application-level integrity checking.
The problem deepens when you consider maintenance. Authorized engineers genuinely need the ability to modify safety logic—sometimes without formal change control if the modification is deemed a quick fix during an emergency. This operational reality makes it difficult to distinguish authorized changes from intrusions.
Detection and Verification Approaches
- SIS configuration baseline: Document and cryptographically sign the logic of each safety system. Use periodic hash verification to detect unauthorized changes.
- Execution monitoring: Deploy sensors to monitor the timing and outputs of safety-critical devices, flagging impossible or out-of-sequence behaviors.
- Dual-channel validation: Require safety logic to be executed by two independent systems for mission-critical processes.
- Access logging: Mandate that all modifications to SIS engineering tools are logged with user identity, timestamp, and before/after checksums.
The Operational Reality
Safety system hardening requires collaboration between engineering, operations, and security. It also requires accepting that some production flexibility must be sacrificed to prevent catastrophic risk. Many organizations have not made that trade-off consciously, and that is the real vulnerability.
If you'd like to discuss safety system visibility and detection for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.