from the the-unsexy-side-of-cyber dept
A report [pdf link] recently released by Germany's Federal Office for Information Security (BSI) details only the second known cyberattack that has resulted in physical damage. According to the report, hackers accessed a steel mill's production network via the corporate network, following a spear-phishing attack. This then allowed them access to a variety of production controls, culminating in the attackers' control of a blast furnace, which prevented it from being shut down in a "regulated manner." The end result? "Massive damage to the system."
Kim Zetter at Wired highlights the more chilling aspects of the latest "Stuxnet."
The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred. It’s also unclear if the attackers intended to cause the physical destruction or if this was simply collateral damage. The incident underscores, however, what experts have been warning about in the wake of Stuxnet: although that nation-state digital weapon had been expertly designed to avoid collateral damage, not all intrusions into critical infrastructure are likely to be as careful or as well-designed as Stuxnet, so damage may occur even when the hackers never intend it.As has been pointed out multiple times over the years, security for critical infrastructure often seems to verge on laughable. Hackers -- both malicious and helpful -- have found millions of unsecured access points, devices, and webcams by using simple methods available to nearly anyone. Those with the talent, patience and skill to probe deeper are finding even more.
But there doesn't seem to be much emphasis on getting this fixed. Sure, government leaders and intelligence officials make plenty of noise about cyberwar, cyberterrorism, etc., but it's rarely as productive as it is loud. There are some interesting details in the article (even more if you know German and can translate the long report), but all you really need to know about the future of infrastructure security can be found in Zetter's opening sentence:
Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos.This is where the government's focus is: on a non-critical entertainment concern, which suffered little more than embarrassment and some diminished box office returns on a stoner comedy about assassinating North Korea's dictator.
Like many members of the human race, our officials and legislators have a weakness for the wealthy and the famous. And Sony Pictures has plenty of both. If you're going to be stuck in dry meetings about security flaws and cyberattacks, at least with Sony being touted as Head Victim, you might have the chance to rub elbows with movie execs. No one wants to spend hours consulting with badge-wearers in charge of the nearest hydroelectric plant or attempt to wrap their minds around electrical grid fail-safe measures. So, we get this instead: multiple speeches decrying the Sony hack and sanctions leveled at a country that may not have had anything to do with it. That's what passes for "cybersecurity" in the US government -- sympathy for sexy industries and a constant sales pitch for increased government power and expanded domestic surveillance. Meanwhile, critical infrastructure remains as vulnerable as ever.