Cyberattack On German Steel Factory Causes 'Massive Damage'

An anonymous reader writes: In a rare case of an online security breach causing real-world destruction, a German steel factory has been severely damaged after its networks were compromised. "The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory's office networks, from which access to production networks was gained. ... After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant's blast furnaces could not be shut down in a controlled manner, which resulted in 'massive damage to plant,' the BSI said, describing the technical skills of the attacker as 'very advanced.'" The full report (PDF) is available in German.

What took them so long?

[Archtech]

About 20 years ago I used to lecture on the topic of computer security. Taking my cue from UK government experts whom I had met back in the 1980s, I used to point out that the only secure computer system is one that cannot be accessed by any human being. Indeed, I recall one expert who used to start his talks by picking up a brick and handing it round, before commenting, "That is our idea of a truly secure IT system. Admittedly it doesn't do very much, but no one is going to sabotage it or get secret information out of it".

I still have my slides from the 1990s, and one of the points I always stressed while summing up was, "Black hats could do a LOT more harm than they have so far". To my mind, the question was why that hadn't happened. The obvious reason was motive: why would anyone make considerable efforts, and presumably put themselves at risk of justice or revenge, unless there was something important to gain?

Stuxnet was the first highly visible case of large-scale industrial sabotage, and I think everyone agrees it was politically motivated - an attack by one state on another, and as such an act of war (or very close to one). This looks similar, and apparently used somewhat similar methods.

The article tells us that "...hackers managed to access production networks..." The question is, why was this allowed? If "production networks" cannot be rendered totally secure, they should not exist. Moreover, if they do exist they should be wholly insulated from the Internet and the baleful influence of "social networks" and the people who use them.

Re:What took them so long?

[JaredOfEuropa]

Sure, information needs to be passed back and forth between the office and the plant. The first step in security is to assume that your office network is the same as "the Internet": you don't know what's on there, it is full of malware and hackers, and they are actively out to try and get you. Assume your office network fully compromised, and secure the production network accordingly.

Fundamental failure of process design

[thegarbz]

Ok everyone is going to leap into the whole world of control system, cybersecurity and what not, but I have a far deeper question.

What kind of a plant is designed in a way that a full failure of their control system would result in being unable to shutdown in a controlled manner. Where is the safety instrumented systems that can shutdown processes at a push of a button? Where are the manual overrides? Where is the big-arse power switch, and if that can't shut down the plant safely then where is the system that drops the plant to a safe state in the advent of loss of power.

This scenario to me sounds like cybersecurity was the lease of their problems.

Re:Fundamental failure of process design

[Shimbo]

Uncontrolled is not necessarily the same as unsafe. If you pull the power to a steel plant, you have have steel set in all the wrong places, and it will be a devil's own job to return the plant to working order.

Re: No big red button?

[Archtech]

"Are you paying for them?"

Aha! And there we have the central issue, in the simplest possible terms.

It's a matter of foreseeing and predicting risk, and then defending against it in a cost-effective way. Trouble is, there are very few other domains of expertise (if that is the right word) that so glaringly expose our human weakness at estimating risk. (See Nassim Nicholas Taleb's books, passim). Typically, a token effort at assessing risk is made, and then when some entirely unforeseen disaster strikes out of left field, we mutter about "black swans". The fact is that we are not nearly as clever as we think we are, which often leads us to bite off far more than we can chew.

Another relevant saying is "the left hand knoweth not what the right hand doeth". One person or team does the risk analysis, while other - completely unknown - people pile up unseen risks, which thus cannot be defended against. Presumably the people who designed those systems had no inkling that they would be attacked by technically expert enemies who deliberately set out to do as much damage as possible. I imagine that a resolute inquiry would eventually discover who upset whom, leading to this outcome.