Sophisticated hack causes massive damage to steelworks
Sophisticated hack causes massive damage to steelworks

The most significant hack since Stuxnet targeted Iran's uranium enrichment programme in 2010 has caused massive damage to a German steelworks, according to a report published  by the Federal Office for Information Security (BSI).  Whilst the Sony hack caused the release of film star emails, a Bond film script and cancellation of film screenings, grabbing media attention, the significance of deliberate physical damage caused by sophisticated network intrusion has passed largely unnoticed (in mainstream media). This is probably the only publicly known incident where physical damage to a plant has been deliberately caused by malware since Stuxnet.

Full details have not been released, but the “The IT Security situation in Germany 2014 ” report highlights the significant impact an Advanced Persistent Threat attack has had on a steelworks, causing damage to a blast furnace by forcing an unscheduled shutdown.  People often ask, why then are critical industrial processes connected directly to the internet?  They aren't intentionally.  But, they are connected to business systems in order to manage production, obtain statistical, historical, and logging information for business process optimisation.  The attackers exploited the internal connectivity of the corporate and industrial control networks.

The attack used a sophisticated spear-phishing and social-engineering campaign to obtain initial access and a presence on the corporate office network.  The attackers then moved from the corporate networks on to the production networks to locate industrial control systems.  Over time industrial control components were compromised and control system failures became increasingly apparent leading to loss of plant control.  Failures ultimately caused an unscheduled shutdown of a blast furnace, preventing the normal safe ‘graceful' shutdown, causing extensive damage and loss of production.

Like Stuxnet, the perpetrators exhibited advanced technical skills from multiple domains.  Initially, undertaking a reconnaissance phase to identify individuals and an approach for the spear-phishing and social-engineering campaign. Then displaying corporate IT and security domain skills compromising corporate computers and networks, traversing to the process control networks.  The attackers demonstrated a knowledge of both industrial control systems and the production process.  The combination indicates that the group responsible had significant presence on the steelworks' networks to navigate the corporate systems and the industrial control systems and form a detailed understanding of the automation controllers and production process.  It is highly likely that intellectual property, propriety process knowledge and contract information was also stolen.

Critical infrastructure attacks this year includes Energetic Bear (aka Dragonfly), Sandworm and the recent revelations of Cleaver.  However, these incursions appear to be early reconnaissance, with no physical affects. We have also seen designs and manuals of plant equipment owned by Korea Hydro and Nuclear Power Co (KHNP) in South Korea were put online by an unknown individual or group, followed by several threats to the infrastructure. It is acknowledged that should systems in utilities, energy, manufacturing, oil and gas be attacked, the damage and disruption could be enormous.  This steelworks attack is one of the first to cause significant physical damage.  International respondents to a recent critical infrastructure survey in these sectors recognise the increased likelihood of successful attacks against their IT and industrial control systems, yet they admit more needs to be done, and many of respondents either did not know or were unsure about control system vulnerabilities, and had not informed senior executives of the risks.

Organisations are seeking to improve operations and converge IT and industrial control architectures to optimise business.  Crucial to these improvements is enterprise access to operational information, without comprising security.   Technology adoption in industrial control systems lags behind that of IT, due to the differing operational requirements.  These include high-availability, safety and reliability coupled with significantly longer lifecycles; fifteen to twenty years is not uncommon, and can be even longer, far exceeding IT refresh or outsourcing cycles.  To address these challenges requires a collaborative approach across multiple domains, recognising that industrial control system security awareness is potentially low across an organisation.  An approach that combines converged governance and risk management, sustained by appropriate programme management, will enable a comprehensive understanding of organisational risk in order to secure vulnerable production systems.

Contributed by Dr Richard Piggin,capability manager, Atkins.