Today we look at a hack on a German steel mill that produced the second confirmed case of cyberattack-originated physical damage:
- Lost in the Sony Hoopla
- Losing Control of the System
- Separation to Enhance Security
Lost in the Sony Hoopla
The Sony hack captured our imaginations in December, so many people missed reports of an attack that was much more disturbing for those in the security field.
A report by the German government that was posted to the Internet in December details an attack on an unidentified German steel mill. The attackers created enough volatility within the plant’s control systems, wrote Kim Zetter of Wired, “that a blast furnace could not be properly shut down, resulting in ‘massive’—though unspecified—damage.”
This German incident is only the second time that a 100% digital assault has destroyed physical property. The original case of attackers crossing the virtual/physical divide was Stuxnet, a digital worm that was used by the United States and Israel to attack Iranian control systems. The infiltration occurred in late 2007 or early 2008. In January 2010, International Atomic Energy Agency inspectors observed that the centrifuges for uranium gas enrichment were malfunctioning at an alarming rate. In June of that same year, a Belarus-based computer security company was contracted to determine why a number of PCs kept crashing and restarting. Eventually, the security firm located several malicious files, which together made up Stuxnet.
Since the 2010 incident, security specialists have agreed that more physical attacks are on the way. Zetter notes that the vulnerability is far-reaching: “Industrial control systems have been found to be rife with vulnerabilities, though they manage critical systems in the electric grid, in water treatment plants and chemical facilities and even in hospitals and financial networks.” A powerful invasion of those types of systems could have widespread and horrific consequences.
Losing Control of the System
The date of the cyberattack is not specified in the document, which was released by the Federal Office for Information Security (BSI). It mentions that the intruders accomplished the breach through the facility’s business network. From that launchpad, they were able to gradually get into the production equipment they wanted to manipulate.
The hackers gained access with spear-phishing. That technique sends fraudulent emails, intended to look as if they are coming from a credible source, to a specific organization. Using this email spoofing strategy, attackers convince recipients to open an attachment containing malware or go to a website that downloads the malicious software.
At the German steel mill, after the hackers made their way inside the business network, they were able to wreak havoc on various virtual environments, along with industrial mechanisms that they accessed through the production network.
The document indicates that disruption occurred both at the component level and at the systemic level. Failures occurred in rapid succession, making it impossible to turn off a blast furnace.
The report suggests that the people responsible for the breach seemed to possess granular knowledge of industrial control environments: “The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes.”
Separation to Enhance Security
The German government document does not list the name of the steel mill, the date of the initial intrusion, or the time span during which attackers had access to the networks. The BSI also doesn’t state whether the attackers directly intended the physical damage or if that occurred accidentally through their efforts to generally jeopardize the production process.
Although this steel mill hack remains somewhat ambiguous and a matter of government secrecy, it provides a real example of what security insiders have been concerned could happen following Stuxnet: sloppier invasions and, hence, more destructive outcomes (realizing that while a sophisticated digital weapon such as Stuxnet can prevent collateral damage, many hackers could cause more harm than intended).
The assessment by the BSI also demonstrates how crucial it is for businesses to establish “strict separation between business and production networks to keep hackers from leaping from one network to another and remotely accessing critical systems over the internet.” While CIOs know that networks can only be air-gapped if they are disconnected from the Web and are not integrated with any environments that are connected to the Web, many firms only have a software firewall in between their business and production networks.
Software firewalls are far from flawless, though. They can contain configuration weaknesses or security vulnerabilities that allow attackers to pass through.
The report did not give any details related to configuration.
It seems that everything in tech is a careful balance of speed and care. Find your balance with Superb Internet: get lightning-fast cloud served from our three SSAE-16 certified data centers.
By Kent Roberts
Free Use image via Wikipedia from Flickr user paytonc