An attack on a security system of an industrial plant in the Middle East transpired in December 2017. Security experts reported that valid TriStation commands were used to transmit the malware. This is a Schneider Electric communication protocol, which is used in security systems for industrial plants. It is mainly used in the chemical industry, but according to heise.de it is also used in the energy and pharmaceutical industries. TriStation is used for diagnosis, configuration, and programming of manufacturer’s safety controllers. etz.de reported that this was the third hacker attack on an industrial controller, but the first on a security controller was affected. However, due to an unsuccessful validation, the system safely shut down. "The obvious goal was to damage the industrial plants, the environment, or production," etz.de continued. Schneider Electric commented on the incident as well.
The German Federal Office for Information Security has now released Snort rules for the protocol to protect against similar attacks. Snort is an open source solution for monitoring networks. These rules are based on the findings of the attack last year. Thus, valid packages that show abnormalities trigger an alarm. In addition, the sending of important valid packages is documented in a logfile and can be examined for legality. However, TriStation is not the only protocol used in security systems for industrial installations. Therefore, according to its own information, the German Federal Office for Information Security will look into the creation of Snort rules for other protocols.