Slashdot Mirror
Cyberattack On German Steel Factory Causes 'Massive Damage'
An anonymous reader writes: In a rare case of an online security breach causing real-world destruction, a German steel factory has been severely damaged after its networks were compromised. "The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory's office networks, from which access to production networks was gained. ... After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant's blast furnaces could not be shut down in a controlled manner, which resulted in 'massive damage to plant,' the BSI said, describing the technical skills of the attacker as 'very advanced.'" The full report (PDF) is available in German.
And conquer your fatherland.
"sophisticated social engineering techniques"
So they got some pizza delivery before this all started.
"The attack used spear phishing and *sophisticated social engineering techniques* to gain access "
You won't believe these 12 crazy facts about Kim Kardashian!
Captcha - Unopened
About 20 years ago I used to lecture on the topic of computer security. Taking my cue from UK government experts whom I had met back in the 1980s, I used to point out that the only secure computer system is one that cannot be accessed by any human being. Indeed, I recall one expert who used to start his talks by picking up a brick and handing it round, before commenting, "That is our idea of a truly secure IT system. Admittedly it doesn't do very much, but no one is going to sabotage it or get secret information out of it".
I still have my slides from the 1990s, and one of the points I always stressed while summing up was, "Black hats could do a LOT more harm than they have so far". To my mind, the question was why that hadn't happened. The obvious reason was motive: why would anyone make considerable efforts, and presumably put themselves at risk of justice or revenge, unless there was something important to gain?
Stuxnet was the first highly visible case of large-scale industrial sabotage, and I think everyone agrees it was politically motivated - an attack by one state on another, and as such an act of war (or very close to one). This looks similar, and apparently used somewhat similar methods.
The article tells us that "...hackers managed to access production networks..." The question is, why was this allowed? If "production networks" cannot be rendered totally secure, they should not exist. Moreover, if they do exist they should be wholly insulated from the Internet and the baleful influence of "social networks" and the people who use them.
I am sure that there are many other solipsists out there.
What, like, extra-lying? Doubleplusgood lying? I don't get it. There is only one way to not tell the truth.
Easy - ransom.
Now they can point to this and say 'you are next - unless you pay'
The one thing driving hacking now is monetising hacks - from crypto ware to bigger things.
Ok everyone is going to leap into the whole world of control system, cybersecurity and what not, but I have a far deeper question.
What kind of a plant is designed in a way that a full failure of their control system would result in being unable to shutdown in a controlled manner. Where is the safety instrumented systems that can shutdown processes at a push of a button? Where are the manual overrides? Where is the big-arse power switch, and if that can't shut down the plant safely then where is the system that drops the plant to a safe state in the advent of loss of power.
This scenario to me sounds like cybersecurity was the lease of their problems.
I'd rather not call the average attack "very advanced". I'd rather call the average security situation in the average company "very crappy".
And I have little reason to assume this being different.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The problem is, these companies seem to barely afford one system let alone a backup system. They don't do the primary right, so who should expect a good backup plan? Look at Sony for example, we find open emails exposing primary passwords and users to their main system. Its like handing over a key to your house to a thief. When it comes to this German plant, what appears to have happened was no means to take the furnace control offline and manually shut it down. This is a dangerous decision that was probably made on the promise of the computer designers that the system in itself had backup systems in place. Of course they were also controlled by computers. The danger in play, is we have far too many systems totally dependent on computers, without a real logical way to over ride them.
A perfect example is your car today. If your main engine management computer fails, your car won't run. Not even badly, it just won't run. The big risk today is that for every successful hacking like a Sony, or Target, or this German steel factory. Its emboldens the hackers even more to do more damage.
I read this type of issue time after time.
Why are such critical systems connected to the internet... and further why are they (these critical systems) allowed to see "foreign" websites?
Start with this story: Why is there critical systems allowed to be in the same network as email? They should be physically separated - and never see the light of the www, Degrade the subject to Target, Home Depot et al, and why do their critical systems see anything (everything) on the www? At BEST the only equipment these computers should be seeing is the ONE system they need to communicate with to transfer their business.
Take it one step further: Why do banks - or email (Yahoo, Hotmail, Gmail) NOT allow me to block access from other countries (and/or identify which country I'm visiting)?
Yes, I know that they can use 'other systems' to attack (right now: someone from IP 185.14.30.79 has been using such an attack against my web server for a couple weeks: It's getting really annoying) however such attacks can also be viewed and guarded against.
Leaving the barn door open (by connecting critical systems to the www) for such attacks seems very short sighted.
Translation to English to the best of my abilities:
3.3 Incidents in private enterprises
In contrast to governmental offices there is no duty up to now for private companies to report grave security incidents to the BSI.
[.... ]
3.3.1 APT attacks on plants in Germany
Issue
Targeted attack on a steal plant in Germany
Method
Using spear-phishing and advaced social engineering the attackers gained initial access to the office network of the plant. From there they gradually penetrated into the production networks.
Damage
Failures of individual control units or complete facilities occured increasingly. The failures prevented the controlled shut down of one blast furnance and brought it into an undefined state. As a result the facility sustained heavy damage.
Targets
Operators of plants
Technical capabilites
The attackers showed very advanced technical capabilities. Several different internal systems up to industrial components were compromised. The know-how of the attackers did not only cover IT-security very thoroughly but also included detailed technical knowledge on the running industrial control units and production processes.
They have to be stopped and if the USA won't do it then I hope Germany will.
Because, like it or not, the "modern" production works or is at least wished to work with small human interaction.
The general wish is that you can do Enterprise Resource Planning(1) (SAP/R3 & Oracle for example). That you can modell your whole value added chain into such a system.
Also these ERPs can do a process simulation with alteration of certain factors, this helps the "gold collars" to make a choice not soley based on their gut feeling.
- yes many times these models are far from reallity and SAP & Oracle is a pain in the ass if you have dumb integrators -
(1) http://en.wikipedia.org/wiki/E...
Is it just me, or does it smell like someone modified stuxnet to do apply to more models and just tricked someone to installing it?
I wish news reports and articles would stop calling Stuxnet the first known cyber weapon. I can understand why they don't count DDoS or website defacements, because those don't cause permanent or physical destruction. Yet, other worms have caused computers to become permanently inoperable, or required computers to be replaced, because their integrity could be no longer be trusted. I suppose those could be excluded, because they didn't cause a bang or create smoke. But, what about the Siberian pipeline explosion in 1982? That infection was not transmitted over the Internet, yet apparently neither was Stuxnet. There must be other examples as well.
I can understand attacking a plant in the US, but Europeans sell anything to anyone with the cash (and then bitch at us for being hypocrites).
Russians, maybe, since Merkel wanted to stay tough on sanctions?
"I don't know, therefore Aliens" Wafflebox1
Why do banks - or email (Yahoo, Hotmail, Gmail) NOT allow me to block access from other countries (and/or identify which country I'm visiting)?
Some do. E.g. my banks do. My banks use two step authentication, which I can disable on a computer by computer basis. (And, e.g., I don't disable it on my phone.)
Since my BYOD laptop usually only travels between my house and my office I have disabled it on that, but whenI take my laptop in another country, or even just another state, the two step auth is automatically reenabled.
And gmail at least has noticed that someone had signed onto my account from another location – one it hadn't seen me sign on from before – and notified me.
Good show Vladimir,
I recommend going after a power plant next. Extra bonus point for nuclear.
Eventually, they'll understand....
Looks like the hackers did hit the weak spot.
Googling for "steel furnance shutdown" finds more reports on unexpected shutdowns this year.
Two in Ashland, Ky, and one or two somewhere in Indiana and one in Bhopal, India. Note that they all seem to have occured in June/July.
Maybe some competitor trying to up his margin by reducing supply?
Your numbers are not existent:
compare the numbers in steel production from germany & U.S. to for example china, US ranks No 3 germany ranks No 7, but they do play in the same league. (1)
Also if you take a look at this map(2) you will recognize China, US and Germany on all exported goods do play in the same league.
according to the table from (3) which is based on data (4)
1.) China - 1.898.600
2.) US - 1.480.646
3.) Germany - 1.473.889
Conclusion:
IRONY_ON
Yeah, it's totally transparent to me, germany does really not sell anything!
IRONY_OFF
Germany does export many things, however not much on such low level things like raw steel.
Further conclusion, divide the export numbers and the amount of population, and you will recognize the efficiency gap.
1.) China - 1.366.040.000
2.) USA - 317.238.626
3.) Germany - 80.760.000
(1) http://en.wikipedia.org/wiki/L...
(2) http://de.wikipedia.org/wiki/D...
(3) http://de.wikipedia.org/wiki/W...
(4) http://stat.wto.org/Statistica...
As an industrial consultant I get into many factories large and small
Many of the smaller factories, particularly those in the 3rd world countries, are actually 'safer' from the attack from hackers --- mainly because their production equipments are mostly older models, their lack of 'up-to-date-ness' means those production machines are not online
Not so for larger plants in more advanced countries !
Nowadays new crops of machines all equipped with MEMs which measure everything from the temperature of such and such part of the machinery to pressure gauging to whatever that's important for the function of the machinery ... and all those MEMs must be linked up to some kind of network in order for the control system to obtain near real-time information, many of those plants got their production machinery hooked up not only to their local network, but also to the Internet as well !
It's a dilemma for many plant owners
On one hand if they do not hook their machines up to the network they can't obtain instant feedback
On the other hand when their machines are networked, and when their network are linked to the Internet, it opens up a big fucking backdoor for hackers to get in
Sure. But software shouldn't be able to make hardware damage itself.
Also, designing something like a steelworks without some kind of hardware-level override is so stupid it borders on criminal.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Because everything is connected to the internet. There isn't a computer that can't be reached from the internet, directly or indirectly. Even airgapped systems are eventually in contact with maintenance systems which have previously been connected to the internet. If your security model involves perfect anything, it's a failure. Perfect separation, perfect code, perfect employees: All unachievable.
Why is there critical systems allowed to be in the same network as email?
Email from operations to the shop floor: "Hey Klaus, we've determined that for the following job we need parameters set at P=123.79 and Q=119.11". Klaus prints out out from his email-connected computer. Picks up the printout, walks across to the control computers, and starts typing in the parameters from the printout. Unfortunately he has a typo that causes the entire batch to be not quite up to spec.
Solution: come up with a way for the parameters to be taking precisely from email into production, without the error-prone act of typing them out again.
and then bitch at us for being hypocrites
and be right about that.
Grandparent made no statement about the scale of business. Grandparent expressed the perception that Germany will sell whatever is in demand to whomever is demanding it, as long as the money is right.
Why do banks ... NOT allow me to block access from other countries (and/or identify which country I'm visiting)?
A: You need to change banks.
My online banking allows me to block the use of my card to make in-store purchases or ATM withdrawals within and/or outside the country and/or EU. I can also enable or disable the use of my card for online purchases. I can also enable or disable any use of the card for other than logging into online banking from within the country--that last item takes a call to the bank. (Not sure whether not being able to lock yourself out unless you're overseas is a good or bad thing.) I can also set and change separate limits on in-store purchases, cash withdrawals, and online purchases. Doing any of these things takes about 2 minutes, and I can do any of them any time that it suits me.
Banking online with my bank also requires multiple factors--the card, a card reader issued by the bank, a government-issued personal ID number, and the PIN--and uses multiple challenge/response to confirm login and any monetary transactions, with a time limit of 4 minutes before the codes become invalid and you must start the authentication process over from scratch. I'm aware that there's no such thing as perfect security, but this seems to run pretty close.
Il n'y a pas de Planet B.
I can understand attacking a plant in the US, but Europeans sell anything to anyone with the cash (and then bitch at us for being hypocrites).
Russians, maybe, since Merkel wanted to stay tough on sanctions?
Believing propaganda much?
I think you'd be surprised if you knew who the US exported to. Of course there is no official papers proving anything. American goods just happened to show up there.
You can have electronic communication on an isolated network. And there are plenty of ways to input data accurately with error checking. Add CRC to the input. If they don't match, find the error(s). Or dual/triple/quad entry so that it's only accepted if the fields match. Like when you're creating a password for a new account. Or print a QR code and scan it on the isolated system. You can pack a lot of data and error correction into QR codes.
Of course, this all assumes that the input is legitimate.
2.2 Angriffsmittel und -methoden 15
2.2.1 Spam 15
2.2.2 Schadprogramme 16
2.2.3 Drive-by-Exploits und Exploit-Kits 17
2.2.4 Botnetze 18
2.2.5 Social Engineering 19
2.2.6 Identitätsdiebstahl 20
2.2.7 Denial of Service 20
2.2.8 Advanced Persistent Threats (APT) 21
2.2.9 Nachrichtendienstliche Cyber-Angriffe 22
I can understand Spam but Drive-by-Exploits? Social Engineering? Denial of Service???
Surely there are German words for this? I mean 2.2.4 I'm pretty sure is botnet; which I assume should be a lot harder to give its own German translation than Advanced Persistent Threat...
Technology, the cause of and solution to all of life's problems.
Error checking won't catch parameter p.11.23. Vs p.11.32
Qr code isn't a bad idea though.
i thought once I was found, but it was only a dream.
or maybe they should check who got fired in the last few months... or overlooked for a promotion.
Mostly random stuff.
Actually, bar codes and QR codes are used in some industrial systems to input orders, for larger batch jobs. The problem is when you are in need of continuous feedback etc, or running lots of small custom jobs.
Production networks commonly use poor passwords or even defaults. Computers are infrequently updated with security patches, if at all. Plus your production network should never be connected to any outside network, that's just dumb. But companies in an attempt to save money create a jack-of-all-trades position and fill it with poorly qualified people.
No, they don't. There are currently EU trade sanctions in place against a whole lot of countries: see here. Restriction of goods seems to be mostly arms, but the list on North Korea is pretty extensive, although it apparently still doesn't include raw steel.
https://www.youtube.com/watch?...
The nacelle goes back and forth about 2-3m (in both directions)
https://www.youtube.com/watch?...
Who the heck thought it was a good idea to put multiple network "classifications" on the same network?
*crickets* *crickets*
"Due to these failures, one of the plant's blast furnaces could not be shut down in a controlled manner"
...
And the solution being to not connect your production networks to the Internet
Why weren't the systems separated, furnace control isolated.
"If any question why we died, Tell them because our fathers lied."
Would someone be so kind to mod his post up ?
I mean if these Germans can't operate their factory, what choice do I have.
Russian non-state hackers, I would posit; I can't see the point of burning state resources on this. And I can't see anyone else with the motivation plus capability. The only other remote possibility is some sort of false flag operation to demonstrate the need for more resources from some Western agency.
[FUCK BETA]
If compananies want their business insured, perhaps the insurance companies can make having an 'airgap' a requirement of having coverage.
Uh, Linux geek since 1999.
Because manual entry is likely to see things like "their" spelled "there". Which kinda-sorta looks right, but isn't.
"I do not agree with what you say, but I will defend to the death your right to say it"
You have little reason to assume *anything*, but it isn't stopping you for some reason.
100% security has infinite costs. It is all about having PROPER security levels and cost.
Of what us is an unprofitable, yet 100% secure steel mill ???
...in this modern world of Hedge Fund Whores, you bet they had the most ineffective security in place you can think of. Probably the DSL router was the only fence between the bad and the "good" world.
Thats what we can assume based on what we know from other el cheapo corporations. This world is run by cheapskates who work for the banksters who build their next country castle bullshit house.
Occams Razor etc.
Don't be too cheap or too lazy, do not connect critical systems to the internet.
It's in the IAEA report; due to a positive void coefficient, and a poor control system, the SCRAM of the reactor is what actually blew it up.
No Shit.
http://www-pub.iaea.org/MTCD/p...
So how would that have prevented the current attack? If the office network is compromised the attackers can change the QR code, so you've made the whole process more complex with only a minimum gain in security.
AFAIK the explosion was a hydrogen gas explosion due to water thermolysis after the core melt down. Nothing like a nuclear bomb blast.
Because IT workers lack trade unions.
We don't have the authority to say "This is dangerous and violates acceptable practice " without getting fired.
I'm deadly fucking serious. Sure, you can stand up for yourself, get fired, get blackballed by the industry. Hope that whistleblower laws cover your ass against the hordes of well paid lawyers the company hires who are literally trying to ruin your life, reputation, and credibility. All while you have no job, no income, nothing.
With a trade union you can stand up for standards that are important, more important than the authority of your boss. Your fellow workers and their collective power will stand up for you.
As it stands, when some nameless pencil dick middle managers says "I need to be able to send the blast furnace and email" you have to do it. No, that statement is not a typo. It's exactly the sort of assnine braindead shit you face every day and you fucking know it.
It would be ideal, and smart, if all production systems like these were on isolated networks and not accessible from the net. But nine times out of ten the reason they aren't is so that corporate IT can manage the systems remotely rather than paying for on site IT support. It's a tradeoff. Is the risk of an attack like this greater because your systems are connected to the net or is it better to have all sites managed locally knowing there won't be consistency in how the sites are managed? Having a good management system in place to centrally manage security and patching and such can keep security holes closed better than fragmented individual networks. So which is better? There is no right answer.
Smile, it makes people wonder what you're up to.
Actually... I believe there is a right answer: Currently (as noted) management prefers to cut costs - without considering or being held responsible for the consequences. When "my" (personal) information is leaked over the internet, who pays? ME. Solution: crack down on such incidents - the person responsible for holding the information. In short: Improve security. WHEN it happens, pay the person who's information is leaked for potential damages from the company that holds the information -- and allow the door to be further open for (more) actual damages. In short: Put management’s feet to the fire. Wake up to the reality of the so-called savings. If you can't "secure" your data or equipment, you disconnect it from the internet. Pull the (internet) plug - a hacker can't gain access to and download terabytes of data from a physically isolated system.
Because IT workers lack trade unions.
We don't have the authority to say "This is dangerous and violates acceptable practice" without getting fired.
Irony: I was fired for refusing to use using live customer data (and reported the practice to upper management). I advised that customer data (test) might be mixed with customer data (live) .. and was over-ruled -- the development team said that it could never happen. Just before I was fired, customers were calling and complaining - their (on-line) bills were not right - development had mixed the data connections - and the customers were looking at the "test" database. About six months later - the company was being investigated by the state AG.
Yeah, I agree. My management asked me after one incident how we could truly lock down one of our systems. I sent them a picture of a power strip with all the cords unplugged. They weren't amused. The truth is any system with users is never 100% secure, but that's not a popular answer.
Smile, it makes people wonder what you're up to.
Yeah, I agree. My management asked me after one incident how we could truly lock down one of our systems. I sent them a picture of a power strip with all the cords unplugged. They weren't amused. .
Ah... should have sent them a picture of a generator!
The truth is any system with users is never 100% secure, but that's not a popular answer.
Yes, agreed. BUT they can be a lot more secure than what is going on right now.
Controlled manual shut down. not perfect because it takes 3 days to bring it back online. I guess it it was too modern to implement. If they had, probably did not how to do it?