A sophisticated cyber-attack leaves 'massive damage' on a blast furnace at a German steel mill.
Most companies don't publicize when they are victims of preventable cyber-attacks. In 2014, the largest reported IT attack on an industrial control system took place at a German steel mill.
The attack was on the routers and the PLC controllers on the industrial control system, not the business or financial systems to which they were connected.
Industrial Cyber Attack on German Steel Mill
Video source: Jiji Press
As documented in the annual report published by the German Federal office for IT (BSI), the malicious cyber assault was not opportunistic. It was malicious and deliberate.
The report said that 'major damage' was caused to a blast furnace that could not be shut down in a normal fashion.
"This was not a random attack," said Mark Lynch, director of IT security for Industrial Control Systems Engineering. "It was coordinated and strategic in that specific individuals in the company were targeted with booby-trapped emails to get their access information."
Sophisticated Industrial Control System Sabotage
Once the perpetrators got inside the business network, they were able to burrow into the control systems network that operated the equipment on the production floor.
Equipment failures occurred and the operators were not able to immediately contain, stop or even acknowledge the cause of the failures.
This was not an attack to send a political message or to satisfy a juvenile ego. This was industrial sabotage where the perpetrators:
- Selected a specific company.
- Found the key employees and contractors (perhaps on Linkedin).
- Wrote personalized software to steal their access credentials and authorizations.
- Circumvented the secure firewalls.
- Figured out the architecture and procedures of the control system network to get to the production computers.
- Accessed the PLC programming (or perhaps the operating system on the PLCs!).
- Decoded the control algorithm to disable the blast furnace shutdown procedure.
- Unleashed their mayhem so that the full-time production crews could not stop the industrial sabotage!
Not only did these perpetrators know about computer networking, they were experts in control systems and:
- IP packet routing and monitoring.
- Topology of business and industrial control systems and industrial communication networks.
- Security experts in firewall protocol.
- PLC programming and PLC operating systems.
- Knew or learned the industrial production process of a steel mill to inflict maximum damage to the expensive blast furnace.
These guys were cunning enough to fool the experienced engineers into exposing their authorization with social engineering (or whatever you call it).
These crippling attacks cannot be prevented with software patch upgrades. They cannot be stopped at the IP packet level.
Protection of industrial control systems has to be done by one or more of the following methods:
- Proprietary controllers - Off the shelf, readily available controllers may be industry standards but their vulnerabilities are exploitable. Remember the spoofing of mobile phone network identifiers on the old analog cell phone network? That was stopped on the 3G CDMA networks (not GSM) that used propriety and unpublished communication protocols between microprocessors in the control network. If the hackers don't know the language, they can't hijack the system.
- Encryption of the source code. The tried-and-true PLCs will always be used in industry but if the coding standards are made cryptic, this will slow down or discourage hackers. Structured text can be made more ambiguous than ladder logic. Please note that good software architecture and coding practices is always a must. And so is full design documentation.
- Segregate the industrial control system from the business systems, the internet and even dial-up modems to stop outside intrusions (sabotage by internal employees is a different issue). Code modification may be required for just-in-time manufacturing and inventory software.
- Use redundant controllers to make critical decisions, similar to the telecom network or even the space shuttles from the 1980's! Using inexpensive PLCs to prevent a very expensive plant shutdown makes sense.
- Have a real time flight recorder and monitoring system to immediately detect a system deviation from an intruder.
The first step in preventing cyber attacks is understanding your attackers, knowing their capabilities and limiting their resources. We found out a few years from the Stuxnet worm that attacks on industrial control systems will cause massive damage to equipment, company finances and to reputations. This is a preventable crime.