Slashdot Mirror
Cyberattack On German Steel Factory Causes 'Massive Damage'
An anonymous reader writes: In a rare case of an online security breach causing real-world destruction, a German steel factory has been severely damaged after its networks were compromised. "The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory's office networks, from which access to production networks was gained. ... After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant's blast furnaces could not be shut down in a controlled manner, which resulted in 'massive damage to plant,' the BSI said, describing the technical skills of the attacker as 'very advanced.'" The full report (PDF) is available in German.
About 20 years ago I used to lecture on the topic of computer security. Taking my cue from UK government experts whom I had met back in the 1980s, I used to point out that the only secure computer system is one that cannot be accessed by any human being. Indeed, I recall one expert who used to start his talks by picking up a brick and handing it round, before commenting, "That is our idea of a truly secure IT system. Admittedly it doesn't do very much, but no one is going to sabotage it or get secret information out of it".
I still have my slides from the 1990s, and one of the points I always stressed while summing up was, "Black hats could do a LOT more harm than they have so far". To my mind, the question was why that hadn't happened. The obvious reason was motive: why would anyone make considerable efforts, and presumably put themselves at risk of justice or revenge, unless there was something important to gain?
Stuxnet was the first highly visible case of large-scale industrial sabotage, and I think everyone agrees it was politically motivated - an attack by one state on another, and as such an act of war (or very close to one). This looks similar, and apparently used somewhat similar methods.
The article tells us that "...hackers managed to access production networks..." The question is, why was this allowed? If "production networks" cannot be rendered totally secure, they should not exist. Moreover, if they do exist they should be wholly insulated from the Internet and the baleful influence of "social networks" and the people who use them.
I am sure that there are many other solipsists out there.
Easy - ransom.
Now they can point to this and say 'you are next - unless you pay'
The one thing driving hacking now is monetising hacks - from crypto ware to bigger things.
Ok everyone is going to leap into the whole world of control system, cybersecurity and what not, but I have a far deeper question.
What kind of a plant is designed in a way that a full failure of their control system would result in being unable to shutdown in a controlled manner. Where is the safety instrumented systems that can shutdown processes at a push of a button? Where are the manual overrides? Where is the big-arse power switch, and if that can't shut down the plant safely then where is the system that drops the plant to a safe state in the advent of loss of power.
This scenario to me sounds like cybersecurity was the lease of their problems.
The problem is, these companies seem to barely afford one system let alone a backup system. They don't do the primary right, so who should expect a good backup plan? Look at Sony for example, we find open emails exposing primary passwords and users to their main system. Its like handing over a key to your house to a thief. When it comes to this German plant, what appears to have happened was no means to take the furnace control offline and manually shut it down. This is a dangerous decision that was probably made on the promise of the computer designers that the system in itself had backup systems in place. Of course they were also controlled by computers. The danger in play, is we have far too many systems totally dependent on computers, without a real logical way to over ride them.
A perfect example is your car today. If your main engine management computer fails, your car won't run. Not even badly, it just won't run. The big risk today is that for every successful hacking like a Sony, or Target, or this German steel factory. Its emboldens the hackers even more to do more damage.
I read this type of issue time after time.
Why are such critical systems connected to the internet... and further why are they (these critical systems) allowed to see "foreign" websites?
Start with this story: Why is there critical systems allowed to be in the same network as email? They should be physically separated - and never see the light of the www, Degrade the subject to Target, Home Depot et al, and why do their critical systems see anything (everything) on the www? At BEST the only equipment these computers should be seeing is the ONE system they need to communicate with to transfer their business.
Take it one step further: Why do banks - or email (Yahoo, Hotmail, Gmail) NOT allow me to block access from other countries (and/or identify which country I'm visiting)?
Yes, I know that they can use 'other systems' to attack (right now: someone from IP 185.14.30.79 has been using such an attack against my web server for a couple weeks: It's getting really annoying) however such attacks can also be viewed and guarded against.
Leaving the barn door open (by connecting critical systems to the www) for such attacks seems very short sighted.
"Sure. But software shouldn't be able to make hardware damage itself.
Also, designing something like a steelworks without some kind of hardware-level override is so stupid it borders on criminal."
As long as software can make the hardware do something, it can make it damage itself.
As for the damage, it was probably the emergency shutdown that caused the damage(i.e, what you incorrectly label hardware-level override), since it does a direct quick stop, without following the proper, slower and safer procedures for shutdown.
"Are you paying for them?"
Aha! And there we have the central issue, in the simplest possible terms.
It's a matter of foreseeing and predicting risk, and then defending against it in a cost-effective way. Trouble is, there are very few other domains of expertise (if that is the right word) that so glaringly expose our human weakness at estimating risk. (See Nassim Nicholas Taleb's books, passim). Typically, a token effort at assessing risk is made, and then when some entirely unforeseen disaster strikes out of left field, we mutter about "black swans". The fact is that we are not nearly as clever as we think we are, which often leads us to bite off far more than we can chew.
Another relevant saying is "the left hand knoweth not what the right hand doeth". One person or team does the risk analysis, while other - completely unknown - people pile up unseen risks, which thus cannot be defended against. Presumably the people who designed those systems had no inkling that they would be attacked by technically expert enemies who deliberately set out to do as much damage as possible. I imagine that a resolute inquiry would eventually discover who upset whom, leading to this outcome.
I am sure that there are many other solipsists out there.
Engineers are so pretentious. Why does it matter what term is used? What a silly thing to be offended about. Every time the title of software engineer gets thrown around, the other engineers make a fit about it too. Can't change my job title. Sorry.
Did they teach you what to call someone who drives a train during your education?
Sure. But software shouldn't be able to make hardware damage itself.
Also, designing something like a steelworks without some kind of hardware-level override is so stupid it borders on criminal.
This is like saying "Sure, but car's shouldn't have anything that propels them forward...that's how car crashes happen."
The sole and entire point of control systems (aka SCADA, DCS, or ICS) is to make it possible for software to control hardware. And it's impossible to make *anything* that can't be broken or cause damage if it's abused. When you factor in things like blast furnaces, substations, or other real-time applications that involve massive amounts of energy (kinetic, electrical, thermal or otherwise), you're harnessing one hell of a big thing, and that means careful balances and lots of risk. You can't have a situation where there's thousands of degrees of heat and gigantic crucibles of molten steel and yet have it impossible for something to be done wrong.
It always makes me crazy when assholes (yes, that's my word for a novice who pontificates about the "incompetence" of actual professionals without citing anything concrete or meaningful) who don't have any experience whatsoever with control systems put forth their idolized version of reality that somehow means that everything can be simple and as safe as a Fisher-Price toy, despite the fact that these environments have never been foolproof in all of human history. Trains crash, pressure vessels explode, chemicals leak, boilers beer-can, transformers flash...it's always been that way, and always will be. Control systems make them less likely to do so for accidental reasons, but also allow an attacker to force it to happen for deliberate ones. That's the trade-off, and to this day it's still a trade-off that's had a positive outcome. It makes no more sense to back out these systems than it did for banking to go back to using adding machines, just because there were cyber security incidents early on in the financial sector. The next step forward is better security for these environments, which is in the process of happening as we speak.
For your security, this post has been encrypted with ROT-13, twice.