TRITON (also known as TRISIS and HatMan) is the world’s first known malware specifically designed to attack industrial Safety Instrumented Systems (SIS) — the last line of automated defense designed to shut down industrial processes before they cause physical harm or catastrophic events. The attack targeted a Saudi Arabian petrochemical facility (believed to be TASNEE’s Sadara Chemical Company plant in Saudi Arabia) between approximately June and December 2017. Attackers gained initial access to the IT network via spear-phishing, then pivoted to the engineering workstation on the OT network that communicated with the Triconex SIS controllers. TRITON used a zero-day in Triconex’s TriStation 1131 software to reprogram the SIS controllers with malicious logic intended to disable safety shutdowns during an attack, enabling a subsequent physical attack to cause maximum damage. The attack was accidentally discovered when two SIS controllers entered failsafe mode (a bug in TRITON caused it to crash the controllers rather than silently reprogram them), triggering an emergency shutdown that alerted plant operators. The US, UK, and Australia formally attributed TRITON to Russia’s CNIIHM in 2022. TRITON represents a quantum escalation in ICS/OT threat sophistication — moving beyond disruption (as with BlackEnergy/Industroyer) to enabling physical destruction with potential loss of life.