What starting position does this attack require?

The first step is Safety system can't trip → physical incident (T1486) — a impact primitive. Assumed environment: foothold inside the OT segment of a heavy-industry / petrochemical / utility plant.

What is the final impact of this kill-chain?

The final step lands on Download attacker safety logic (ICS-TRITON-SIS), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

TRITON-class SIS reprogram → disable safety shutdown

After OT-network foothold, reach a Triconex Safety Instrumented System. Download attacker logic that suppresses safety trips on a process that's about to be pushed past its safe envelope.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Impact

Safety system can't trip → physical incident

T1486 · Data Encrypted for Impact

Impact

In parallel, manipulate primary control PLC

OT-S7-SIEMENS · Siemens S7 Protocol Abuse

Lateral Movement

Find SIS controller + engineering station

OT-ENG-WORKSTATION · Engineering Workstation Pivot

Lateral Movement

Foothold in OT segment

OT-IT-OT-PIVOT · IT → OT Network Pivot

Impact

Download attacker safety logic

ICS-TRITON-SIS · Triconex / TRITON SIS Reprogram

§ Context

Assumed environment: foothold inside the OT segment of a heavy-industry / petrochemical / utility plant. SIS engineering station reachable; SIS controller in PROGRAM mode (or attacker has the physical key).

§ Steps

01
Safety system can't trip → physical incidentImpact
T1486— Data Encrypted for Impact
02
In parallel, manipulate primary control PLCImpact
OT-S7-SIEMENS— Siemens S7 Protocol Abuse
03
Find SIS controller + engineering stationLateral Movement
OT-ENG-WORKSTATION— Engineering Workstation Pivot
04
Foothold in OT segmentLateral Movement
OT-IT-OT-PIVOT— IT → OT Network Pivot
05
Download attacker safety logicImpact
ICS-TRITON-SIS— Triconex / TRITON SIS Reprogram

§ References

T1486Data Encrypted for Impact

§ Frequently asked

What is the "TRITON-class SIS reprogram → disable safety shutdown" attack path?: After OT-network foothold, reach a Triconex Safety Instrumented System. Download attacker logic that suppresses safety trips on a process that's about to be pushed past its safe envelope. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Safety system can't trip → physical incident (T1486) — a impact primitive. Assumed environment: foothold inside the OT segment of a heavy-industry / petrochemical / utility plant.
What is the final impact of this kill-chain?: The final step lands on Download attacker safety logic (ICS-TRITON-SIS), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques4
Engineering workstation → push payload to PLC
Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC.

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Engineering workstation → push payload to PLC