Facts Targeted attack on a steel plant in Germany.Method Using sophisticated spear phishing and social engineering, the attacker gained initial access to the corporate network at the steelworks. From there, they moved successively into the production networks. Damage inflicted Individual control components failed increasingly frequently, as did entire facilities. The failures resulted in a blast furnace suffering an uncontrolled shutdown. This resulted in massive damage to the system.Targeted groups Operators of industrial plants. Technical skills The technical capabilities of the attacker were evaluated as very advanced. The compromise extended from a number of different kinds of internal systems to industrial components. The know-how of the attackers was not only very sophisticated in the field of conventional IT security, but extended to a detailed knowledge of applied industrial control and production processes. This is a significant report. Industrial control systems (ICS) are generally built with many layers of protection – from physical safety systems, to cyber safety systems or safety instrumented systems (SIS), to equipment protection systems. These layers upon layers of systems are designed to protect not just equipment, but human life if ever an unsafe condition arises. All bets are off though, if these systems are compromised.
Lost in the media coverage of the Sony cyberattack is a German government report issued last week describing a cyberattack that resulted in “massive” damage to a blast furnace at a steel mill.
We've translated the full text of the German incident description below:
APT attack on industrial plants in Germany
From the limited information in the report, it looks like at least the physical safety systems worked, since there are no reports of injuries. But the systems at the site failed to protect the blast furnace from damage. The report states that as a consequence of the attack, an uncontrolled shutdown caused “massive” damage to the blast furnace.
Evolving best practice
This attack is a clear example of why best practices are evolving toward providing sophisticated, hardware-based protections for at least SIS and protection equipment. Software security protections, such as firewalls, are notoriously vulnerable to attack. A technically sophisticated attacker can compromise software-based defenses remotely over the Internet from the comfort and safety of anywhere they please. Hardware-enforced Unidirectional Security Gateways are gaining global attention as an industry best practice, embraced and endorsed by regulations and guidelines such as NERC CIP, IEC 62443-3-3, the ANSSI guidelines and others.
When it comes to protecting ICS, soft interiors need hard shells.