A German steel factory suffered a major cyber-attack, causing physical damage to the plant’s systems, according to a report published this week, which underscored that industrial-control networks need to be better secured against online attackers, experts said.
The attack resulted in “massive damage” to the physical systems; a number of “system breakdowns resulted in an incident where a furnace could not be shut down in the regular way and the furnace was in an undefined condition,” according to a translation of a report released by the German government. The attackers used social engineering to gain access to the office networks at the steel firm, by sending crafted email messages to administrators. The attackers then used their beachhead in the IT network to compromise the operational network.
The attack shows that those responsible for utilities, industrial manufacturing plants and critical infrastructure need to take cyber-security more seriously, Carl Wright, general manager for security firm TrapX, told eWEEK.
“It is a sector where there has not been a lot of security investment—in the protocols or in the devices—because they have historically been closed systems,” Wright said. “But now, for convenience and for interconnecting a variety of data collection purposes, the manufacturing network is now connected to the corporate network.”
The report — published by the Bundesamt für Sicherheit in der Informationstechnik (BSI), the German Federal Office for Information Security—stated that the attackers had both IT security expertise and knowledge of industrial control systems (ICSes). While security researchers have pointed out an increasing number of vulnerabilities in ICSes, documented attacks that result in actual damage are rare. The U.S. Industrial Control System Computer Emergency Readiness Team (ICS-CERT) has documented many attacks on utilities and manufacturing firms, but only the Stuxnet attack is known to have caused damage, Robert M. Lee, co-founder of Dragos Security, said in an analysis of the reported incident.
In addition, only three other known attack programs, or malware, have had the capabilities to target industrial systems, including Stuxnet, Black Energy and HAVEX, he said.
Stuxnet crippled Iranian nuclear processing capabilities in 2010 by infiltrating the controllers of critical centrifuges. In December 2010, the ICS-CERT warned that a variant of the Black Energy Trojan was being used to infiltrate control networks and perform reconnaissance. In July 2014, security firms found that the HAVEX Trojan was infecting a variety of industrial control systems after infecting software installers for three ICS manufacturers.
In the German incident, “there is no discussion of what type of capability the adversaries used past the spear-phishing, such as specific malware,” he said. “However, if there was malware that was involved and targeted toward ICSes specifically, this would then be only the fourth public instance.””
TrapX’s Wright argued that neither the compromise of the German manufacturing plant nor the breach of Sony were conducted by criminals with profit motives, but by more organized attackers with more complex motives, such as corporate espionage.
“I don’t think it is a far leap at all that the attribution from this type of attack could be insiders; it could be script kiddies—although I doubt it—or it could be something like a competitor that wants to cause an impact to some company, so they could pick up additional business,” he said.