Cyberattack Results In Physical Damage To German Steel Mill's Blast Furnance
from the the-unsexy-side-of-cyber dept
A report [pdf link] recently released by Germany's Federal Office for Information Security (BSI) details only the second known cyberattack that has resulted in physical damage. According to the report, hackers accessed a steel mill's production network via the corporate network, following a spear-phishing attack. This then allowed them access to a variety of production controls, culminating in the attackers' control of a blast furnace, which prevented it from being shut down in a "regulated manner." The end result? "Massive damage to the system."
Kim Zetter at Wired highlights the more chilling aspects of the latest "Stuxnet."
The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred. It’s also unclear if the attackers intended to cause the physical destruction or if this was simply collateral damage. The incident underscores, however, what experts have been warning about in the wake of Stuxnet: although that nation-state digital weapon had been expertly designed to avoid collateral damage, not all intrusions into critical infrastructure are likely to be as careful or as well-designed as Stuxnet, so damage may occur even when the hackers never intend it.As has been pointed out multiple times over the years, security for critical infrastructure often seems to verge on laughable. Hackers -- both malicious and helpful -- have found millions of unsecured access points, devices, and webcams by using simple methods available to nearly anyone. Those with the talent, patience and skill to probe deeper are finding even more.
But there doesn't seem to be much emphasis on getting this fixed. Sure, government leaders and intelligence officials make plenty of noise about cyberwar, cyberterrorism, etc., but it's rarely as productive as it is loud. There are some interesting details in the article (even more if you know German and can translate the long report), but all you really need to know about the future of infrastructure security can be found in Zetter's opening sentence:
Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos.This is where the government's focus is: on a non-critical entertainment concern, which suffered little more than embarrassment and some diminished box office returns on a stoner comedy about assassinating North Korea's dictator.
Like many members of the human race, our officials and legislators have a weakness for the wealthy and the famous. And Sony Pictures has plenty of both. If you're going to be stuck in dry meetings about security flaws and cyberattacks, at least with Sony being touted as Head Victim, you might have the chance to rub elbows with movie execs. No one wants to spend hours consulting with badge-wearers in charge of the nearest hydroelectric plant or attempt to wrap their minds around electrical grid fail-safe measures. So, we get this instead: multiple speeches decrying the Sony hack and sanctions leveled at a country that may not have had anything to do with it. That's what passes for "cybersecurity" in the US government -- sympathy for sexy industries and a constant sales pitch for increased government power and expanded domestic surveillance. Meanwhile, critical infrastructure remains as vulnerable as ever.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cyberattack, physical damage, steel mill
Reader Comments
Subscribe: RSS
View by: Time | Thread
In the time since little has been done to lock down these various facilities, many of which we depend on for everyday life. The US has opened Pandora's Box. It will come home to haunt them and indirectly us all.
It takes a while to dissect and understand complicated code. It's been years since it was discovered in the wild and enough time for that to now start happening. Sooner or later, North Korea, ISSIS, or whomever will use it. When it is used we will be able to thank our leaders for this new plague released.
The fact that the NSA nor none of the other three letter agencies have bothered to tell software makers where their bugs and security holes are isn't going to help in this matter.
[ link to this | view in chronology ]
Today's House Briefing
Foreign Affairs Committee
“Briefing: The North Korean Threat: Nuclear, Missiles and Cyber”
Jan 13, 2015 10:00am to 1:00pm
(Webcast also available via C-SPAN.)
[ link to this | view in chronology ]
Shouldn't the critical infrastructure not be connected to the internet?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Running physically several disconnected networks is insanely expansive and well beyond budget.
[ link to this | view in chronology ]
Re: Re:
Transparent? Yes. But never public-facing.
[ link to this | view in chronology ]
Re: Re: Re:
In your imaginary world, where money is not a function, maybe. However, here on Earth, cost matters.
You don't make your house windows bulletproof, and steel door, right? (In case you _do_, please seek mental help immediately).
[ link to this | view in chronology ]
Re: Re: Re: Re:
As do risk and consequences. How great is the cost as a consequence of damage? How high is the risk of that damage?
If people are ignoring high long-term risks with a high cost (monetary and otherwise) as a consequence of failure just so they can save money in the shorter term, well you've just described the problem with modern corporate culture... Infrastructure that is genuinely critical will naturally have a high cost to properly secure it.
"You don't make your house windows bulletproof, and steel door, right?"
I don't but I don't live in a place where bullets are being fired every day, have a high risk of being robbed nor do I house anything vital to the operation of my company/city/whatever. Strangely, my priorities would change if I did...
[ link to this | view in chronology ]
Re: Re: Re: Re:
That cost can be borne. The other cost, in real lives, cannot.
[ link to this | view in chronology ]
Re: Re: Re: Re:
What you are really saying is the size of the profit margin is what counts first, not security.
THAT is what is crazy, security is always first because not secure, lose the business, the life, the house. "Self" defense, be it a person, a business is the natural first step since people came out of caves. What is going on with this when profit means more then security is crazy, definitely not normal.
"You don't make your house windows bulletproof, and steel door,"
Today, if one can afford it, yes. We live in a world where governments in just the 20th century murdered more people then died in all the known wars combined.
Think about it.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
I lived in Chicago for 13 years, and while bulletproof windows are uncommon, steel doors are pretty common. Two of the three places I lived had them.
Also bars, but not bulletproofing, on ground floor windows are fairly common as well.
Finally steel doors are actually less expensive than a quality solid wooden door these days.
[ link to this | view in chronology ]
Re: Re: Re: Re:
What you're arguing here is that we as a society should absorb the cost of critical infrastructure being on the internet so that the entities who are doing this don't have to bear it. It's saving those entities a dollar while costing the rest of us ten.
Cost matters, yes, but the cost directly to these entities is not the only part that matters.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
The biggest problem I see at the moment is that the risks are often not even considered - "We can have one person monitor three plants if we implement some monitoring software that we expose online" "sounds great. Do it". That will presumably change as events like this become more common (and as insurance companies learn to ask about this sort of risk).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
No. I also don't put my light switches and thermostats on the outside of the house where just anyone can walk by and mess with them.
[ link to this | view in chronology ]
Re: Re:
And while your at it, what is considered 'insanely expensive'? Greater than the US GDP? Greater than this years profits? Greater than this years CEO bonus? Greater than this years IT budget?
[ link to this | view in chronology ]
too late run
Run now, run for your life, it may be too late if you dont.
Run!!!!!!
[ link to this | view in chronology ]
Re: too late run
"Damage To German Steel Mill"
Story body:
"A report [pdf link] recently released by Germany's Federal Office for Information Security"
Linked story:
"hackers had struck an unnamed steel mill in Germany"
Your response:
"the idiots running the US are incapabale of anything now"
Well, there's certainly an idiot here somewhere...
[ link to this | view in chronology ]
Big Government Surveillance
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The terrifying bit is that NOTHING is being done to hold the ones that are responsible for the lousy security on critical systems and, better yet, forcing companies to practice good security on such systems. The blast furnace only shut down in a wrong manner with mainly damage to the equipment itself. I suspect this largely happened because the security valves and systems worked as intended. It could have been way less reassuring: such emergency security systems are also fallible. Wht if some pressure relief valve had failed? Depending on the size of the thing you could send quite a few blocks flying.
One can only hope the morons legislating actually deal with the real problems instead of the glitter and vanity before something really catastrophic happens.
[ link to this | view in chronology ]
Why
[ link to this | view in chronology ]
Re: Why
Don't leave your toys out in the rain.
Don't loan your powertools out to drunken, homeless 5 year olds.
Don't hook critical SCADA systems up to the risky Internet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
No Subject
This is nothing but MS-grade FUD!
How can anyone believe that vague a report?
Cheers :-)
[ link to this | view in chronology ]
It's going to get MUCH worse
It really doesn't matter how detailed/vague this particular report is: its significance has little to do with a single steel mill in Germany. The takeaway from this should be a sobering realization that "the Internet of Things" is quite rapidly turning into "the Internet of Bots" and that serious consequences await.
[ link to this | view in chronology ]
Re: It's going to get MUCH worse
[ link to this | view in chronology ]
Re: It's going to get MUCH worse
In any case I doubt that everyday gadgets connected to the internet can do any serious harm. Still they are being deployed with lousy security to say the least and to clueless people in general who won't probably change any passwords.
[ link to this | view in chronology ]
Re: Re: It's going to get MUCH worse
I invite you to write that down on a piece of paper and place it above your screen. Then wait five years.
[ link to this | view in chronology ]
Re: Re: Re: It's going to get MUCH worse
[ link to this | view in chronology ]
Re: Re: It's going to get MUCH worse
When foods all have rfid's embedded, and I remove a staple from my fridge, it adds that item to my shopping list which is cloud synced because the wife is already on the way to to grocery store, and when she gets there, she'll see that item automagically appear on her smart phone shopping list app.
I can totally see the usefulness of that.
[ link to this | view in chronology ]
Re: Re: Re: It's going to get MUCH worse
[ link to this | view in chronology ]
Re: Re: Re: It's going to get MUCH worse
Law enforcement will love it, as they can tell when you have guests, as will your health insurance company, who can tell whether you have a healthy diet.
[ link to this | view in chronology ]
Re: Re: Re: Re: It's going to get MUCH worse
[ link to this | view in chronology ]
Re: Re: Re: It's going to get MUCH worse
Me too. But that is a pretty small amount of usefulness, and certainly doesn't balance well against the risks.
[ link to this | view in chronology ]
Re: Re: It's going to get MUCH worse
[ link to this | view in chronology ]
Re: Re: It's going to get MUCH worse
Some of those gadgets certainly could. Think heaters, furnaces, etc. However, the really huge risk of the IoT initiative is that it will increase the comprehensiveness and effectiveness of spying.
I will not be hooking these things up to the internet for that reason, and strongly discourage anyone else from doing so.
[ link to this | view in chronology ]
ahhh the real world hard disk killer
this is just improving on the old
[ link to this | view in chronology ]
Siberian pipeline sabotage
[ link to this | view in chronology ]
Selling Shit As Shinola is a Fascist Art Form
It is absolutely essential to the plan that critical infrastructure remain vulnerable. If it were not so, then none of the intended legislation-to-be, rerouting tax-money into phony multi-billion dollar anti-terrorist, anti-hacker, cyber-security scams would be possible.
If you want to make laws against a specific behavior, you first must make sure that the behavior appears to be criminal and that there is a lot of it taking place, or at the very least, flood the news media with reports of its extremely high occurrence rate.
This is how the Drug War was manufactured and maintained.
It is a very highly effective method of social engineering for fun and profit.
This is how the peer to peer equals piracy scam was created and maintained. It is a method that works.
To see it being used once again to create a Cyber Security Scam that will lead to legislation eliminating privacy and the internet, is no surprise at all.
---
[ link to this | view in chronology ]
Not as easy as it sounds.
If the process operators require advice, I'd much rather VPN to read the SCADA screens and advise, rather than having to go to site which may be 200 miles away. This is doubly true on the night shift, when it might save me getting dressed at all, but will require that I can access from home, which means over the public internet. Obviously management are happy with this because call-out costs are greatly reduced.
For an insight on what can go wrong with a blast furnace, read this report on an explosion that happened in 2001: http://www.hse.gov.uk/pubns/web34.pdf
[ link to this | view in chronology ]
Telecommunications Is Not The Internet. (to EatBigot, #43)
I was reading in this month's Flying Magazine (Peter Garrison, "Aftermath," Feb 2015) about an airplane, a twin-engine Cessna 310, which crashed because the owner-pilot was attempting to save perhaps ten dollars on the price of gasoline. He bought about twenty gallons less fuel that he should have (say about an hour of flying time), because he was advised that fuel was fifty-three cents a gallon cheaper at his destination. Parenthetically, the mandatory overhauls and part replacements on an airplane of that type might have been at least $500/hour. I think you will perceive a certain similarity.
[ link to this | view in chronology ]
Re: Not as easy as it sounds.
Using a VPN would count as a minimum security requirement, but it would be even better to not be connected to the internet. That does not in any way mean that there is no way to do remote administration. It only means that your remote connection is not through the internet.
[ link to this | view in chronology ]
The Last Word
“Re: Why
Exactly. Take care of your nice things.Don't leave your toys out in the rain.
Don't loan your powertools out to drunken, homeless 5 year olds.
Don't hook critical SCADA systems up to the risky Internet.