Three weeks ago, Germany’s Federal Office for Information Security (BSI) released its traditional end-of-the-year report about the state of IT security in Germany.
It described cyber attacks aimed at both German targets and those around the world, and among these incidents was one that most security experts weren’t even aware of.
We still don’t know when it happened and how long it lasted, but the report revealed that the target was an unnamed steel plant located in Germany, and the intrusion resulted in physical damage to the steelworks.
The attackers have apparently first compromised the steelworks’ office network by using spear-phishing emails and clever social engineering. From there, they worked their way into the production network and other systems, including the one that controls the plant’s equipment.
The compromise resulted in frequent failures of individual control components and the various systems, and ultimately led to the operators being unable to adequately regulate and promptly shut down a blast furnace. “The result was massive damage to the system,” the report noted.
The attackers’ technical skills are deemed to be highly advanced, as they managed to compromise a number of different internal systems and industrial components.
Their knowledge extends past conventional IT security to specialized knowledge of the industrial control and production processes used in the plant.
Unfortunately, we don’t know who the attackers are, what their goal was, and whether they meant to cause physical damage or whether it was just an unexpected and unwanted consequence of the compromise.
This is the second time that a cyber attack resulted in damage to industrial systems – third, if you count the 2008 incident when a Turkish oil pipeline caught fire as a result of a “blended” physical and digital attack. We all know about Stuxnet, and the damage it did to Iran’s uranium enrichment facility at Natanz.
Once again, operators of industrial and critical infrastructure systems are advised to educate themselves about the dangers they face and to improve their systems’ defences.
First and foremost, they should take this latest incident as an example why business and industrial networks should not be connected in a way that will allow attackers to hop from one to the other. The latter should also not be connected to the Internet.