Cyberattack Results In Physical Damage To German Steel Mill's Blast Furnance

from the the-unsexy-side-of-cyber dept

A report [pdf link] recently released by Germany’s Federal Office for Information Security (BSI) details only the second known cyberattack that has resulted in physical damage. According to the report, hackers accessed a steel mill’s production network via the corporate network, following a spear-phishing attack. This then allowed them access to a variety of production controls, culminating in the attackers’ control of a blast furnace, which prevented it from being shut down in a “regulated manner.” The end result? “Massive damage to the system.”

Kim Zetter at Wired highlights the more chilling aspects of the latest “Stuxnet.”

The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred. It’s also unclear if the attackers intended to cause the physical destruction or if this was simply collateral damage. The incident underscores, however, what experts have been warning about in the wake of Stuxnet: although that nation-state digital weapon had been expertly designed to avoid collateral damage, not all intrusions into critical infrastructure are likely to be as careful or as well-designed as Stuxnet, so damage may occur even when the hackers never intend it.

As has been pointed out multiple times over the years, security for critical infrastructure often seems to verge on laughable. Hackers — both malicious and helpful — have found millions of unsecured access points, devices, and webcams by using simple methods available to nearly anyone. Those with the talent, patience and skill to probe deeper are finding even more.

But there doesn’t seem to be much emphasis on getting this fixed. Sure, government leaders and intelligence officials make plenty of noise about cyberwar, cyberterrorism, etc., but it’s rarely as productive as it is loud. There are some interesting details in the article (even more if you know German and can translate the long report), but all you really need to know about the future of infrastructure security can be found in Zetter’s opening sentence:

Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos.

This is where the government’s focus is: on a non-critical entertainment concern, which suffered little more than embarrassment and some diminished box office returns on a stoner comedy about assassinating North Korea’s dictator.

Like many members of the human race, our officials and legislators have a weakness for the wealthy and the famous. And Sony Pictures has plenty of both. If you’re going to be stuck in dry meetings about security flaws and cyberattacks, at least with Sony being touted as Head Victim, you might have the chance to rub elbows with movie execs. No one wants to spend hours consulting with badge-wearers in charge of the nearest hydroelectric plant or attempt to wrap their minds around electrical grid fail-safe measures. So, we get this instead: multiple speeches decrying the Sony hack and sanctions leveled at a country that may not have had anything to do with it. That’s what passes for “cybersecurity” in the US government — sympathy for sexy industries and a constant sales pitch for increased government power and expanded domestic surveillance. Meanwhile, critical infrastructure remains as vulnerable as ever.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cyberattack Results In Physical Damage To German Steel Mill's Blast Furnance”

Subscribe: RSS Leave a comment
Anonymous Coward says:

I thought long ago when Stuxnet came out that it was going to be a future blueprint for how to disrupt infrastructure. Then after that came Obama admitting that the US was behind the malware.

In the time since little has been done to lock down these various facilities, many of which we depend on for everyday life. The US has opened Pandora’s Box. It will come home to haunt them and indirectly us all.

It takes a while to dissect and understand complicated code. It’s been years since it was discovered in the wild and enough time for that to now start happening. Sooner or later, North Korea, ISSIS, or whomever will use it. When it is used we will be able to thank our leaders for this new plague released.

The fact that the NSA nor none of the other three letter agencies have bothered to tell software makers where their bugs and security holes are isn’t going to help in this matter.

Anonymous Coward says:

Re: Re:

Shouldn’t the critical infrastructure not be connected to the internet?

I would agree with this but then take a look around at the world of industry. In the past decade, the middle class has lost a huge amount of workers. Most of those workers didn’t go back to work at what they were doing before. Either the jobs left overseas or they were automated so that fewer could do the work of many.

Instead of having a floor full of people monitoring processes we now have programs running on computers that do the monitoring allowing fewer to only answer the alarms and whistles. There is always an engineer in the head office or branch office that needs to know how his latest modification is doing, what the latest production figures are, or how some process could be speeded up. He no longer needs to travel to the location to do that. He can pull it up on his computer to look see.

Notice that in the article they did not access the steel facility from the spearphished account. I would imagine they got passwords there. Instead it was accessed through the corporate network. Notice that they are very careful not to say where, nor how. I suspect this was a double system and the corporate network was not directly hooked to the internet. However, once you find the magic key, you then have access to the internal LAN. Once in, everything is there. I would imagine the internal LAN isn’t directly hooked to the net but the corporate servers can be accessed provided you have a high enough authorization. Once in there you can roam at will. I would suspect there were lots of fences to jump arriving at that place to access it.

Before you go far with this should not be, think that this is a common practice, from everything from milk processing, electric generation, city water pumps, traffic control, to making pesticides. It’s far too late to shut the barn door, everyone is on their own private system doing the same method to cut manpower.

PaulT (profile) says:

Re: Re: Re:2 Re:

“However, here on Earth, cost matters.”

As do risk and consequences. How great is the cost as a consequence of damage? How high is the risk of that damage?

If people are ignoring high long-term risks with a high cost (monetary and otherwise) as a consequence of failure just so they can save money in the shorter term, well you’ve just described the problem with modern corporate culture… Infrastructure that is genuinely critical will naturally have a high cost to properly secure it.

“You don’t make your house windows bulletproof, and steel door, right?”

I don’t but I don’t live in a place where bullets are being fired every day, have a high risk of being robbed nor do I house anything vital to the operation of my company/city/whatever. Strangely, my priorities would change if I did…

Cal (profile) says:

Re: Re: Re:2 Re:

“In your imaginary world, where money is not a function, maybe”

What you are really saying is the size of the profit margin is what counts first, not security.

THAT is what is crazy, security is always first because not secure, lose the business, the life, the house. “Self” defense, be it a person, a business is the natural first step since people came out of caves. What is going on with this when profit means more then security is crazy, definitely not normal.

“You don’t make your house windows bulletproof, and steel door,”

Today, if one can afford it, yes. We live in a world where governments in just the 20th century murdered more people then died in all the known wars combined.

Think about it.

jsf (profile) says:

Re: Re: Re:2 Re:

“You don’t make your house windows bulletproof, and steel door, right?”

I lived in Chicago for 13 years, and while bulletproof windows are uncommon, steel doors are pretty common. Two of the three places I lived had them.

Also bars, but not bulletproofing, on ground floor windows are fairly common as well.

Finally steel doors are actually less expensive than a quality solid wooden door these days.

John Fenderson (profile) says:

Re: Re: Re:2 Re:

“However, here on Earth, cost matters.”

What you’re arguing here is that we as a society should absorb the cost of critical infrastructure being on the internet so that the entities who are doing this don’t have to bear it. It’s saving those entities a dollar while costing the rest of us ten.

Cost matters, yes, but the cost directly to these entities is not the only part that matters.

Chris Brand says:

Re: Re: Re:3 Re:

Ultimately, this sort of question should always be a balancing of risk, reward, and cost. A big additional factor that hasn’t been mentioned in this thread is whether this is the sort of risk that can be insured against (and what requirements the insurance company imposes). Many businesses accept small risks of huge losses if doing so will save them a reasonable amount of money. If the risk doesn’t materialise, that’s a good decision.

The biggest problem I see at the moment is that the risks are often not even considered – “We can have one person monitor three plants if we implement some monitoring software that we expose online” “sounds great. Do it”. That will presumably change as events like this become more common (and as insurance companies learn to ask about this sort of risk).

Ninja (profile) says:

Re: Re: Re:4 Re:

This sounds awesome but should we risk big outages or disasters because of it? Are we citizens ready to dispose of a few dozen lives if some pipeline goes boom? I believe we need to force better security in. I’m not sure if laws are the best tool but they are an alternative but certainly the proposals being discussed by the Govt now aren’t the right path.

Anonymous Anonymous Coward says:

Re: Re: Re:

Could you explain for us less network savvy folks what is so ‘insanely expensive’? Is it setting up the infrastructure? Is it hiring people to monitor it? Is it ongoing cost of ‘renting’ that infrastructure?

And while your at it, what is considered ‘insanely expensive’? Greater than the US GDP? Greater than this years profits? Greater than this years CEO bonus? Greater than this years IT budget?

PaulT (profile) says:

Re: too late run

Story headline:

“Damage To German Steel Mill”

Story body:

“A report [pdf link] recently released by Germany’s Federal Office for Information Security”

Linked story:

“hackers had struck an unnamed steel mill in Germany”

Your response:

“the idiots running the US are incapabale of anything now”

Well, there’s certainly an idiot here somewhere…

Jared says:

Big Government Surveillance

If our government increases surveillance, then people will start communicating using Code. It’s not difficult to communicate using encrypted messages. Those using Code to communicate will laugh at the NSA. Therefore the NSA will only be analyzing the uncoded communications of ordinary citizens. Information is power (big data). This is about power and control, not national defense. Wake Up!

Ninja (profile) says:

This is terrifying for a number of reasons. Not in the sense of approving CISPA though, no. As it has been being pointed out ad nauseam by Techdirt and others it wouldn’t have done shit to prevent any of the attacks that have taken place in the last dozen years.

The terrifying bit is that NOTHING is being done to hold the ones that are responsible for the lousy security on critical systems and, better yet, forcing companies to practice good security on such systems. The blast furnace only shut down in a wrong manner with mainly damage to the equipment itself. I suspect this largely happened because the security valves and systems worked as intended. It could have been way less reassuring: such emergency security systems are also fallible. Wht if some pressure relief valve had failed? Depending on the size of the thing you could send quite a few blocks flying.

One can only hope the morons legislating actually deal with the real problems instead of the glitter and vanity before something really catastrophic happens.

Rich Kulawiec (profile) says:

It's going to get MUCH worse

The short-sighted people pushing “The Internet of Things” are charging ahead as fast as they possibly can, oblivious to the reality they’re not actually building smart refrigerators or smart cars or smart watches: they’re deploying targets. Millions and millions of targets, some of which have already been acquired by adversaries and most of which will be in due course.

It really doesn’t matter how detailed/vague this particular report is: its significance has little to do with a single steel mill in Germany. The takeaway from this should be a sobering realization that “the Internet of Things” is quite rapidly turning into “the Internet of Bots” and that serious consequences await.

Ninja (profile) says:

Re: It's going to get MUCH worse

I honestly don’t see why my trash can or my refrigerator should be connected in any way…

In any case I doubt that everyday gadgets connected to the internet can do any serious harm. Still they are being deployed with lousy security to say the least and to clueless people in general who won’t probably change any passwords.

Anonymous Coward says:

Re: Re: It's going to get MUCH worse

“I honestly don’t see why my trash can or my refrigerator should be connected in any way…”

When foods all have rfid’s embedded, and I remove a staple from my fridge, it adds that item to my shopping list which is cloud synced because the wife is already on the way to to grocery store, and when she gets there, she’ll see that item automagically appear on her smart phone shopping list app.

I can totally see the usefulness of that.

Ninja (profile) says:

Re: Re: Re: It's going to get MUCH worse

This wouldn’t need the fridge to be connected to the internet. A local ‘home center’ could collect that data and make it available (considering you trust it won’t be used to target annoying ads based on your consumption) but it still doesn’t make sense to allow remote control. And automation may be problematic. What if you don’t want to buy that product again? I still maintain that full connection is not needed.

John Fenderson (profile) says:

Re: Re: It's going to get MUCH worse

“In any case I doubt that everyday gadgets connected to the internet can do any serious harm.”

Some of those gadgets certainly could. Think heaters, furnaces, etc. However, the really huge risk of the IoT initiative is that it will increase the comprehensiveness and effectiveness of spying.

I will not be hooking these things up to the internet for that reason, and strongly discourage anyone else from doing so.

GEMont (profile) says:

Selling Shit As Shinola is a Fascist Art Form

“Meanwhile, critical infrastructure remains as vulnerable as ever.”

It is absolutely essential to the plan that critical infrastructure remain vulnerable. If it were not so, then none of the intended legislation-to-be, rerouting tax-money into phony multi-billion dollar anti-terrorist, anti-hacker, cyber-security scams would be possible.

If you want to make laws against a specific behavior, you first must make sure that the behavior appears to be criminal and that there is a lot of it taking place, or at the very least, flood the news media with reports of its extremely high occurrence rate.

This is how the Drug War was manufactured and maintained.

It is a very highly effective method of social engineering for fun and profit.

This is how the peer to peer equals piracy scam was created and maintained. It is a method that works.

To see it being used once again to create a Cyber Security Scam that will lead to legislation eliminating privacy and the internet, is no surprise at all.

FatBigot says:

Not as easy as it sounds.

I’m afraid that people calling for critical process plant not to be connected to the internet are demanding a simple solution when they do not really know what the problem is. This is the same issue as politicians demanding backdoors for the intelligence services in all encryption.

If the process operators require advice, I’d much rather VPN to read the SCADA screens and advise, rather than having to go to site which may be 200 miles away. This is doubly true on the night shift, when it might save me getting dressed at all, but will require that I can access from home, which means over the public internet. Obviously management are happy with this because call-out costs are greatly reduced.

For an insight on what can go wrong with a blast furnace, read this report on an explosion that happened in 2001:

Andrew D. Todd (user link) says:

Re: Telecommunications Is Not The Internet. (to EatBigot, #43)

One must not confuse telecommunications with the internet. Something as big and expensive as a steel mill can easily have its own dedicated communications infrastructure, at various possible levels, viz: ditch; duct; cable; fiber; or “lambda,” that is, a frequency in a fiber. Digging a ditch and putting ducts in it costs about $50,000 per mile, and that is trivial compared to the cost of building a rail line, several million dollars a mile or more. A steel mill isn’t much good without a railroad. Steel mills often have their own private railroads to handle specialized tasks such as hauling crucible-cars filled with molten iron. Naturally, connecting at the level of ditch, duct, cable, fiber, or lambda costs more than a Virtual Private Network, because someone has to actually go out and make up connections between fibers, but it does provide more unequivocal separation from other traffic.

I was reading in this month’s Flying Magazine (Peter Garrison, “Aftermath,” Feb 2015) about an airplane, a twin-engine Cessna 310, which crashed because the owner-pilot was attempting to save perhaps ten dollars on the price of gasoline. He bought about twenty gallons less fuel that he should have (say about an hour of flying time), because he was advised that fuel was fifty-three cents a gallon cheaper at his destination. Parenthetically, the mandatory overhauls and part replacements on an airplane of that type might have been at least $500/hour. I think you will perceive a certain similarity.

John Fenderson (profile) says:

Re: Not as easy as it sounds.

“If the process operators require advice, I’d much rather VPN to read the SCADA screens and advise, rather than having to go to site which may be 200 miles away.”

Using a VPN would count as a minimum security requirement, but it would be even better to not be connected to the internet. That does not in any way mean that there is no way to do remote administration. It only means that your remote connection is not through the internet.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...