Beacon Security
ChemicalSIS Security Review

SIS Cybersecurity Review for a Petrochemical Facility

March 5, 2025

Background

A petrochemical facility operating multiple process units with Safety Instrumented Systems (SIS) engaged Beacon Security to conduct a focused cybersecurity review of their safety systems. The engagement was triggered after the public disclosure of the TRITON/TRISIS malware revealed that the attack targeted the exact make and model of safety controllers deployed at the facility.

The facility's VP of Operations recognized that a compromise of their safety systems could result in catastrophic consequences including potential loss of life, environmental damage, and destruction of physical assets. The SIS cybersecurity review was prioritized above all other security initiatives and treated with the same urgency as a safety-critical finding.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

The facility's SIS environment presented security conditions that were common in petrochemical plants built before OT cybersecurity became a design consideration, and that closely mirrored the architecture exploited in the TRITON attack:

Shared Network Infrastructure SIS controllers shared the same network switches and cabling as the basic process control system (BPCS). No logical or physical separation existed between safety and control functions. This was the same architectural weakness that allowed the TRITON malware to reach safety controllers from the process control network.

No Prior Cybersecurity Assessment In the facility's 12-year operating history, safety systems had never been subject to a cybersecurity assessment. Focus had been exclusively on functional safety compliance under IEC 61511. The cybersecurity dimension of safety system integrity had never been formally evaluated.

Dual-Homed Engineering Workstations Engineering workstations used for SIS logic development had network connections to both the SIS/BPCS network and the enterprise network. This created a direct bridge between environments, matching the attack vector used in the TRITON incident where the engineering workstation was the initial point of access to the safety network.

No Change Management for SIS Logic Changes to SIS logic could be made from engineering workstations without a formal cybersecurity-aware change management process. Access relied solely on application-level passwords shared among the engineering team. No audit trail existed for who made changes or when.

Our Approach

Beacon Security conducted a focused SIS cybersecurity assessment over three weeks, aligned with the cybersecurity requirements of both IEC 62443 and IEC 61511. The engagement was treated as a safety-critical project with the same rigor as a functional safety review.

Phase 1: SIS Architecture Review (Week 1)

We conducted a detailed review of the complete SIS architecture:

  • SIS controller hardware inventory, firmware versions, and configuration states
  • Network connectivity mapping between SIS, BPCS, and enterprise networks
  • Engineering workstation configuration and all access paths to SIS controllers
  • Physical security of SIS cabinets, marshalling, and termination points
  • Review of existing functional safety documentation and SIS lifecycle records

Phase 2: TRITON-Focused Threat and Vulnerability Assessment (Week 2)

A structured threat assessment was conducted specifically for the SIS environment, with the TRITON attack chain as the primary reference scenario:

  • Step-by-step analysis of the TRITON attack chain mapped against the facility's specific architecture
  • Identification of which TRITON attack phases would succeed in the current environment
  • Review of all CVEs applicable to the deployed SIS controller firmware versions
  • Evaluation of detection capabilities for SIS-targeting attacks
  • Engineering workstation hardening assessment including installed software, USB policies, and network exposure

Phase 3: Gap Analysis and Program Framework (Week 3)

Findings were mapped against both IEC 62443 and IEC 61511 cybersecurity requirements:

  • Security Level gap analysis for the SIS zone
  • Remediation recommendations prioritized by risk, safety impact, and implementation complexity
  • SIS cybersecurity management programme framework development
  • Roadmap for achieving the target Security Level for safety systems

Key Findings

Critical Finding: TRITON Attack Path Viable The step-by-step TRITON attack chain analysis confirmed that the same attack sequence that was used against the original target facility could succeed at this facility. The combination of enterprise-to-SIS network path through dual-homed workstations, shared network infrastructure, and outdated firmware meant that every phase of the TRITON attack was feasible.

Remediation: Emergency project initiated to eliminate the attack path through SIS network isolation and workstation hardening.

Critical Finding: Dual-Homed Engineering Workstations Engineering workstations with connections to both SIS/BPCS and enterprise networks provided the exact attack vector used in the TRITON incident. One workstation was found with remote desktop enabled and accessible from the enterprise network.

Remediation: Dual-homed configuration eliminated within 30 days. Dedicated SIS engineering workstation deployed with controlled, logged access.

High Finding: Outdated SIS Controller Firmware Two of three SIS controllers were running firmware versions predating the TRITON disclosure with known vulnerabilities. The firmware versions had not been updated since the initial installation.

Remediation: Firmware updates coordinated with the safety controller vendor for the next planned turnaround.

High Finding: Shared Application Passwords Access to SIS programming required only an application-level password that was shared among four engineers and had not been changed in over three years.

Remediation: Individual authentication with role-based access controls and comprehensive audit logging implemented.

Outcome

The assessment was completed with zero disruptions to safety system operations. All activities were conducted without any modification to SIS configurations or logic.

Deliverables Provided:

  • SIS cybersecurity assessment report with 11 findings across 3 severity levels
  • TRITON/TRISIS attack chain analysis specific to the facility's architecture
  • IEC 62443 Security Level gap analysis for the SIS zone
  • IEC 61511 cybersecurity clause compliance assessment
  • SIS cybersecurity management programme framework
  • Remediation roadmap with prioritized actions and timelines

Post-Assessment Actions:

  • Dual-homed engineering workstation configuration eliminated within 30 days
  • SIS network isolation project completed within 90 days, fully isolating safety controllers onto dedicated infrastructure
  • Individual access controls implemented for SIS programming environment
  • Formal SIS cybersecurity management programme established with annual review cycle
  • Firmware updates scheduled for the next turnaround
  • The facility became the first in the company's portfolio to have a formal SIS cybersecurity management programme

The facility subsequently extended the engagement to include a broader OT network segmentation project covering all process control zones.

Beacon Security conducts SIS cybersecurity assessments for chemical, petrochemical, and process industry facilities. Contact us to discuss your safety system security requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

Generic IT security tools fail in industrial environments. Talk to our OT security team and get a clear picture of your exposure within days, not months.

Book a Free Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption