significant hack since Stuxnet targeted Iran's uranium enrichment programme in
2010 has caused massive damage to a German steelworks, according to a report
published by the Federal Office for Information Security (BSI). Whilst the Sony hack
caused the release of film star emails, a Bond film script and
cancellation of film screenings, grabbing media attention, the significance of
deliberate physical damage caused by sophisticated network intrusion has passed
largely unnoticed (in mainstream media). This is probably the only
publicly known incident where physical damage to a plant has been deliberately
caused by malware since Stuxnet.
details have not been released, but the “The
IT Security situation in Germany 2014 ” report highlights the
significant impact an Advanced Persistent Threat attack has had on a
steelworks, causing damage to a blast furnace by forcing an unscheduled
shutdown. People often ask, why then are critical industrial processes
connected directly to the internet? They aren't intentionally. But,
they are connected to business systems in order to manage production, obtain
statistical, historical, and logging information for business process
optimisation. The attackers exploited the internal connectivity of the
corporate and industrial control networks.
The attack used a sophisticated spear-phishing and social-engineering campaign to obtain initial access and a presence on the corporate office network. The attackers then moved from the corporate networks on to the production networks to locate industrial control systems. Over time industrial control components were compromised and control system failures became increasingly apparent leading to loss of plant control. Failures ultimately caused an unscheduled shutdown of a blast furnace, preventing the normal safe ‘graceful' shutdown, causing extensive damage and loss of production.
Like Stuxnet, the perpetrators exhibited advanced technical skills from multiple domains. Initially, undertaking a reconnaissance phase to identify individuals and an approach for the spear-phishing and social-engineering campaign. Then displaying corporate IT and security domain skills compromising corporate computers and networks, traversing to the process control networks. The attackers demonstrated a knowledge of both industrial control systems and the production process. The combination indicates that the group responsible had significant presence on the steelworks' networks to navigate the corporate systems and the industrial control systems and form a detailed understanding of the automation controllers and production process. It is highly likely that intellectual property, propriety process knowledge and contract information was also stolen.
Critical infrastructure attacks this year includes Energetic Bear (aka Dragonfly), Sandworm and the recent revelations of Cleaver. However, these incursions appear to be early reconnaissance, with no physical affects. We have also seen designs and manuals of plant equipment owned by Korea Hydro and Nuclear Power Co (KHNP) in South Korea were put online by an unknown individual or group, followed by several threats to the infrastructure. It is acknowledged that should systems in utilities, energy, manufacturing, oil and gas be attacked, the damage and disruption could be enormous. This steelworks attack is one of the first to cause significant physical damage. International respondents to a recent critical infrastructure survey in these sectors recognise the increased likelihood of successful attacks against their IT and industrial control systems, yet they admit more needs to be done, and many of respondents either did not know or were unsure about control system vulnerabilities, and had not informed senior executives of the risks.
Organisations are seeking to improve operations and converge IT and industrial control architectures to optimise business. Crucial to these improvements is enterprise access to operational information, without comprising security. Technology adoption in industrial control systems lags behind that of IT, due to the differing operational requirements. These include high-availability, safety and reliability coupled with significantly longer lifecycles; fifteen to twenty years is not uncommon, and can be even longer, far exceeding IT refresh or outsourcing cycles. To address these challenges requires a collaborative approach across multiple domains, recognising that industrial control system security awareness is potentially low across an organisation. An approach that combines converged governance and risk management, sustained by appropriate programme management, will enable a comprehensive understanding of organisational risk in order to secure vulnerable production systems.
Contributed by Dr Richard Piggin,capability manager, Atkins.