Cyberattack Results In Physical Damage To German Steel Mill's Blast Furnance
from the the-unsexy-side-of-cyber dept
A report [pdf link] recently released by Germany’s Federal Office for Information Security (BSI) details only the second known cyberattack that has resulted in physical damage. According to the report, hackers accessed a steel mill’s production network via the corporate network, following a spear-phishing attack. This then allowed them access to a variety of production controls, culminating in the attackers’ control of a blast furnace, which prevented it from being shut down in a “regulated manner.” The end result? “Massive damage to the system.”
Kim Zetter at Wired highlights the more chilling aspects of the latest “Stuxnet.”
The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred. It’s also unclear if the attackers intended to cause the physical destruction or if this was simply collateral damage. The incident underscores, however, what experts have been warning about in the wake of Stuxnet: although that nation-state digital weapon had been expertly designed to avoid collateral damage, not all intrusions into critical infrastructure are likely to be as careful or as well-designed as Stuxnet, so damage may occur even when the hackers never intend it.
As has been pointed out multiple times over the years, security for critical infrastructure often seems to verge on laughable. Hackers — both malicious and helpful — have found millions of unsecured access points, devices, and webcams by using simple methods available to nearly anyone. Those with the talent, patience and skill to probe deeper are finding even more.
But there doesn’t seem to be much emphasis on getting this fixed. Sure, government leaders and intelligence officials make plenty of noise about cyberwar, cyberterrorism, etc., but it’s rarely as productive as it is loud. There are some interesting details in the article (even more if you know German and can translate the long report), but all you really need to know about the future of infrastructure security can be found in Zetter’s opening sentence:
Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos.
This is where the government’s focus is: on a non-critical entertainment concern, which suffered little more than embarrassment and some diminished box office returns on a stoner comedy about assassinating North Korea’s dictator.
Like many members of the human race, our officials and legislators have a weakness for the wealthy and the famous. And Sony Pictures has plenty of both. If you’re going to be stuck in dry meetings about security flaws and cyberattacks, at least with Sony being touted as Head Victim, you might have the chance to rub elbows with movie execs. No one wants to spend hours consulting with badge-wearers in charge of the nearest hydroelectric plant or attempt to wrap their minds around electrical grid fail-safe measures. So, we get this instead: multiple speeches decrying the Sony hack and sanctions leveled at a country that may not have had anything to do with it. That’s what passes for “cybersecurity” in the US government — sympathy for sexy industries and a constant sales pitch for increased government power and expanded domestic surveillance. Meanwhile, critical infrastructure remains as vulnerable as ever.
Filed Under: cyberattack, physical damage, steel mill
Comments on “Cyberattack Results In Physical Damage To German Steel Mill's Blast Furnance”
I thought long ago when Stuxnet came out that it was going to be a future blueprint for how to disrupt infrastructure. Then after that came Obama admitting that the US was behind the malware.
In the time since little has been done to lock down these various facilities, many of which we depend on for everyday life. The US has opened Pandora’s Box. It will come home to haunt them and indirectly us all.
It takes a while to dissect and understand complicated code. It’s been years since it was discovered in the wild and enough time for that to now start happening. Sooner or later, North Korea, ISSIS, or whomever will use it. When it is used we will be able to thank our leaders for this new plague released.
The fact that the NSA nor none of the other three letter agencies have bothered to tell software makers where their bugs and security holes are isn’t going to help in this matter.
Today's House Briefing
United States House of Representatives
Foreign Affairs Committee
“Briefing: The North Korean Threat: Nuclear, Missiles and Cyber”
Jan 13, 2015 10:00am to 1:00pm
(Webcast also available via C-SPAN.)
“Meanwhile, critical infrastructure remains as vulnerable as ever.”
Shouldn’t the critical infrastructure not be connected to the internet?
Re: Re:
Re: Re:
In theory – yes. In practice, when you have to control several plants in different places – what options do you have? Even dedicated PPP line is “connected” to Internet – separated by provider router.
Running physically several disconnected networks is insanely expansive and well beyond budget.
Re: Re: Re:
It doesn’t matter. IF the infrastructure is critical, it should mostd ecidedly not be public-facing.
Transparent? Yes. But never public-facing.
Re: Re: Re: Re:
Re: Re: Re:2 Re:
“However, here on Earth, cost matters.”
As do risk and consequences. How great is the cost as a consequence of damage? How high is the risk of that damage?
If people are ignoring high long-term risks with a high cost (monetary and otherwise) as a consequence of failure just so they can save money in the shorter term, well you’ve just described the problem with modern corporate culture… Infrastructure that is genuinely critical will naturally have a high cost to properly secure it.
“You don’t make your house windows bulletproof, and steel door, right?”
I don’t but I don’t live in a place where bullets are being fired every day, have a high risk of being robbed nor do I house anything vital to the operation of my company/city/whatever. Strangely, my priorities would change if I did…
Re: Re: Re:2 Re:
…And? Once again, if the infrastructure is critical, there is literally no reason not to have a separate network for that infrastructure with zero public-facing nodes.
That cost can be borne. The other cost, in real lives, cannot.
Re: Re: Re:2 Re:
“In your imaginary world, where money is not a function, maybe”
What you are really saying is the size of the profit margin is what counts first, not security.
THAT is what is crazy, security is always first because not secure, lose the business, the life, the house. “Self” defense, be it a person, a business is the natural first step since people came out of caves. What is going on with this when profit means more then security is crazy, definitely not normal.
“You don’t make your house windows bulletproof, and steel door,”
Today, if one can afford it, yes. We live in a world where governments in just the 20th century murdered more people then died in all the known wars combined.
Think about it.
Re: Re: Re:2 Re:
Well, BP decided to save a few million in valves and proper security and got a 20 billion loss (that huge Gulf oil spill). But when thousands of lives are at risk you must bear those costs even if it means raising prices. And if needed the law must mandate such disconnection from the internet.
Re: Re: Re:2 Re:
“You don’t make your house windows bulletproof, and steel door, right?”
I lived in Chicago for 13 years, and while bulletproof windows are uncommon, steel doors are pretty common. Two of the three places I lived had them.
Also bars, but not bulletproofing, on ground floor windows are fairly common as well.
Finally steel doors are actually less expensive than a quality solid wooden door these days.
Re: Re: Re:2 Re:
“However, here on Earth, cost matters.”
What you’re arguing here is that we as a society should absorb the cost of critical infrastructure being on the internet so that the entities who are doing this don’t have to bear it. It’s saving those entities a dollar while costing the rest of us ten.
Cost matters, yes, but the cost directly to these entities is not the only part that matters.
Re: Re: Re:3 Re:
Ultimately, this sort of question should always be a balancing of risk, reward, and cost. A big additional factor that hasn’t been mentioned in this thread is whether this is the sort of risk that can be insured against (and what requirements the insurance company imposes). Many businesses accept small risks of huge losses if doing so will save them a reasonable amount of money. If the risk doesn’t materialise, that’s a good decision.
The biggest problem I see at the moment is that the risks are often not even considered – “We can have one person monitor three plants if we implement some monitoring software that we expose online” “sounds great. Do it”. That will presumably change as events like this become more common (and as insurance companies learn to ask about this sort of risk).
Re: Re: Re:4 Re:
This sounds awesome but should we risk big outages or disasters because of it? Are we citizens ready to dispose of a few dozen lives if some pipeline goes boom? I believe we need to force better security in. I’m not sure if laws are the best tool but they are an alternative but certainly the proposals being discussed by the Govt now aren’t the right path.
Re: Re: Re:2 Re:
You don’t make your house windows bulletproof, and steel door, right? (In case you do, please seek mental help immediately).
No. I also don’t put my light switches and thermostats on the outside of the house where just anyone can walk by and mess with them.
Re: Re: Re:
Could you explain for us less network savvy folks what is so ‘insanely expensive’? Is it setting up the infrastructure? Is it hiring people to monitor it? Is it ongoing cost of ‘renting’ that infrastructure?
And while your at it, what is considered ‘insanely expensive’? Greater than the US GDP? Greater than this years profits? Greater than this years CEO bonus? Greater than this years IT budget?
too late run
Its too late, the idiots running the US are incapabale of anything now, too many idiots promoted to serious postitions withing the establishment, now we are all going to hell.
Run now, run for your life, it may be too late if you dont.
Run!!!!!!
Re: too late run
Story headline:
“Damage To German Steel Mill”
Story body:
“A report [pdf link] recently released by Germany’s Federal Office for Information Security”
Linked story:
“hackers had struck an unnamed steel mill in Germany”
Your response:
“the idiots running the US are incapabale of anything now”
Well, there’s certainly an idiot here somewhere…
Big Government Surveillance
If our government increases surveillance, then people will start communicating using Code. It’s not difficult to communicate using encrypted messages. Those using Code to communicate will laugh at the NSA. Therefore the NSA will only be analyzing the uncoded communications of ordinary citizens. Information is power (big data). This is about power and control, not national defense. Wake Up!
That’s it, The Internet is Broken.
This is terrifying for a number of reasons. Not in the sense of approving CISPA though, no. As it has been being pointed out ad nauseam by Techdirt and others it wouldn’t have done shit to prevent any of the attacks that have taken place in the last dozen years.
The terrifying bit is that NOTHING is being done to hold the ones that are responsible for the lousy security on critical systems and, better yet, forcing companies to practice good security on such systems. The blast furnace only shut down in a wrong manner with mainly damage to the equipment itself. I suspect this largely happened because the security valves and systems worked as intended. It could have been way less reassuring: such emergency security systems are also fallible. Wht if some pressure relief valve had failed? Depending on the size of the thing you could send quite a few blocks flying.
One can only hope the morons legislating actually deal with the real problems instead of the glitter and vanity before something really catastrophic happens.
Why
Why are critical systems on the public internet at all? When I have worked at power plants and on medical gear in hospitals its not even on unroutable addresses. Madness.
Re: Why
Exactly. Take care of your nice things.
Don’t leave your toys out in the rain.
Don’t loan your powertools out to drunken, homeless 5 year olds.
Don’t hook critical SCADA systems up to the risky Internet.
If they create new branches in the police to go after the millions of pirates then why the fuck cant they do the same with the occassional hackers?
Re: Re:
Not all hackers are bad……….some of them are in it to test that security is, well, secure, and then inform
No Subject
I call BULLSHIT on that whole report.
This is nothing but MS-grade FUD!
How can anyone believe that vague a report?
Cheers 🙂
It's going to get MUCH worse
The short-sighted people pushing “The Internet of Things” are charging ahead as fast as they possibly can, oblivious to the reality they’re not actually building smart refrigerators or smart cars or smart watches: they’re deploying targets. Millions and millions of targets, some of which have already been acquired by adversaries and most of which will be in due course.
It really doesn’t matter how detailed/vague this particular report is: its significance has little to do with a single steel mill in Germany. The takeaway from this should be a sobering realization that “the Internet of Things” is quite rapidly turning into “the Internet of Bots” and that serious consequences await.
Re: It's going to get MUCH worse
Skynet is waking
Re: It's going to get MUCH worse
I honestly don’t see why my trash can or my refrigerator should be connected in any way…
In any case I doubt that everyday gadgets connected to the internet can do any serious harm. Still they are being deployed with lousy security to say the least and to clueless people in general who won’t probably change any passwords.
Re: Re: It's going to get MUCH worse
In any case I doubt that everyday gadgets connected to the internet can do any serious harm.
I invite you to write that down on a piece of paper and place it above your screen. Then wait five years.
Re: Re: Re: It's going to get MUCH worse
Depends on the gadget. We are talking about refrigerators and wash machines. What’s the worst that one can do with a refrigerator if given remote control? Turn it off? It’s quite different from an industrial high pressure boiler that has the potential to send several blocks flying.
Re: Re: It's going to get MUCH worse
“I honestly don’t see why my trash can or my refrigerator should be connected in any way…”
When foods all have rfid’s embedded, and I remove a staple from my fridge, it adds that item to my shopping list which is cloud synced because the wife is already on the way to to grocery store, and when she gets there, she’ll see that item automagically appear on her smart phone shopping list app.
I can totally see the usefulness of that.
Re: Re: Re: It's going to get MUCH worse
This wouldn’t need the fridge to be connected to the internet. A local ‘home center’ could collect that data and make it available (considering you trust it won’t be used to target annoying ads based on your consumption) but it still doesn’t make sense to allow remote control. And automation may be problematic. What if you don’t want to buy that product again? I still maintain that full connection is not needed.
Re: Re: Re: It's going to get MUCH worse
Law enforcement will love it, as they can tell when you have guests, as will your health insurance company, who can tell whether you have a healthy diet.
Re: Re: Re:2 It's going to get MUCH worse
That is another issue. But I believe they will suffer equally from fear of the masses so I wonder which prison is worse…
Re: Re: Re: It's going to get MUCH worse
“I can totally see the usefulness of that.”
Me too. But that is a pretty small amount of usefulness, and certainly doesn’t balance well against the risks.
Re: Re: It's going to get MUCH worse
I’m afraid it’s time to look at Distributed Denial of Service attacks and amplification via compromised devices. While your toaster doesn’t have much processing power it can still spew a lot of packets at a target and add to a denial of service attack.
Re: Re: It's going to get MUCH worse
“In any case I doubt that everyday gadgets connected to the internet can do any serious harm.”
Some of those gadgets certainly could. Think heaters, furnaces, etc. However, the really huge risk of the IoT initiative is that it will increase the comprehensiveness and effectiveness of spying.
I will not be hooking these things up to the internet for that reason, and strongly discourage anyone else from doing so.
ahhh the real world hard disk killer
back in 89 we destroyed a 10 K Hard disk by just having it run all night at max spon speed….
this is just improving on the old
Siberian pipeline sabotage
Stuxnet wasn’t the first such attack: the Siberian pipeline sabotage happened in 1982. “The result was the most monumental non-nuclear explosion and fire ever seen from space.”
Selling Shit As Shinola is a Fascist Art Form
“Meanwhile, critical infrastructure remains as vulnerable as ever.”
It is absolutely essential to the plan that critical infrastructure remain vulnerable. If it were not so, then none of the intended legislation-to-be, rerouting tax-money into phony multi-billion dollar anti-terrorist, anti-hacker, cyber-security scams would be possible.
If you want to make laws against a specific behavior, you first must make sure that the behavior appears to be criminal and that there is a lot of it taking place, or at the very least, flood the news media with reports of its extremely high occurrence rate.
This is how the Drug War was manufactured and maintained.
It is a very highly effective method of social engineering for fun and profit.
This is how the peer to peer equals piracy scam was created and maintained. It is a method that works.
To see it being used once again to create a Cyber Security Scam that will lead to legislation eliminating privacy and the internet, is no surprise at all.
—
Not as easy as it sounds.
I’m afraid that people calling for critical process plant not to be connected to the internet are demanding a simple solution when they do not really know what the problem is. This is the same issue as politicians demanding backdoors for the intelligence services in all encryption.
If the process operators require advice, I’d much rather VPN to read the SCADA screens and advise, rather than having to go to site which may be 200 miles away. This is doubly true on the night shift, when it might save me getting dressed at all, but will require that I can access from home, which means over the public internet. Obviously management are happy with this because call-out costs are greatly reduced.
For an insight on what can go wrong with a blast furnace, read this report on an explosion that happened in 2001: http://www.hse.gov.uk/pubns/web34.pdf
Re: Telecommunications Is Not The Internet. (to EatBigot, #43)
One must not confuse telecommunications with the internet. Something as big and expensive as a steel mill can easily have its own dedicated communications infrastructure, at various possible levels, viz: ditch; duct; cable; fiber; or “lambda,” that is, a frequency in a fiber. Digging a ditch and putting ducts in it costs about $50,000 per mile, and that is trivial compared to the cost of building a rail line, several million dollars a mile or more. A steel mill isn’t much good without a railroad. Steel mills often have their own private railroads to handle specialized tasks such as hauling crucible-cars filled with molten iron. Naturally, connecting at the level of ditch, duct, cable, fiber, or lambda costs more than a Virtual Private Network, because someone has to actually go out and make up connections between fibers, but it does provide more unequivocal separation from other traffic.
I was reading in this month’s Flying Magazine (Peter Garrison, “Aftermath,” Feb 2015) about an airplane, a twin-engine Cessna 310, which crashed because the owner-pilot was attempting to save perhaps ten dollars on the price of gasoline. He bought about twenty gallons less fuel that he should have (say about an hour of flying time), because he was advised that fuel was fifty-three cents a gallon cheaper at his destination. Parenthetically, the mandatory overhauls and part replacements on an airplane of that type might have been at least $500/hour. I think you will perceive a certain similarity.
Re: Not as easy as it sounds.
“If the process operators require advice, I’d much rather VPN to read the SCADA screens and advise, rather than having to go to site which may be 200 miles away.”
Using a VPN would count as a minimum security requirement, but it would be even better to not be connected to the internet. That does not in any way mean that there is no way to do remote administration. It only means that your remote connection is not through the internet.