Cyberattack On German Steel Factory Causes 'Massive Damage'

An anonymous reader writes: In a rare case of an online security breach causing real-world destruction, a German steel factory has been severely damaged after its networks were compromised. "The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory's office networks, from which access to production networks was gained. ... After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant's blast furnaces could not be shut down in a controlled manner, which resulted in 'massive damage to plant,' the BSI said, describing the technical skills of the attacker as 'very advanced.'" The full report (PDF) is available in German.

yeah right

"sophisticated social engineering techniques"

So they got some pizza delivery before this all started.

Re:yeah right

[kruach+aum]

Did they teach you what to call someone who drives a train during your education?

What took them so long?

[Archtech]

About 20 years ago I used to lecture on the topic of computer security. Taking my cue from UK government experts whom I had met back in the 1980s, I used to point out that the only secure computer system is one that cannot be accessed by any human being. Indeed, I recall one expert who used to start his talks by picking up a brick and handing it round, before commenting, "That is our idea of a truly secure IT system. Admittedly it doesn't do very much, but no one is going to sabotage it or get secret information out of it".

I still have my slides from the 1990s, and one of the points I always stressed while summing up was, "Black hats could do a LOT more harm than they have so far". To my mind, the question was why that hadn't happened. The obvious reason was motive: why would anyone make considerable efforts, and presumably put themselves at risk of justice or revenge, unless there was something important to gain?

Stuxnet was the first highly visible case of large-scale industrial sabotage, and I think everyone agrees it was politically motivated - an attack by one state on another, and as such an act of war (or very close to one). This looks similar, and apparently used somewhat similar methods.

The article tells us that "...hackers managed to access production networks..." The question is, why was this allowed? If "production networks" cannot be rendered totally secure, they should not exist. Moreover, if they do exist they should be wholly insulated from the Internet and the baleful influence of "social networks" and the people who use them.

Re:What took them so long?

[burni2]

1.) "is the one that cannot be accessed by any human being"

- virtual or physical -

So the answer what real secure system (composed of human, machine or both) you have in mind is. none.
You need people or machines to built things, there you go again, you implement the human factor from the start.
And your approach just points out the fact that nothing is 100% safe. This thought is so utterly flat as it is true, but it does not offer any train thought which steps to undertake to at least increase the security.

2.) We will see more failiures that big in the future as the buzzword "industry 4.0" is coined. Due to the approach of interconnecting each and everything, all your lamenting does not stop anyone from doing it.
If you cannot stop or deflect a movement, at least try to alter the movement.

3.) "Why was this allowed?"

Because your typically ERP System SAP & Oracle to name the big to be frail twins does exactly this. It interconnects production, accounting, document maangement, it can control your whole material workflow.
All on the same system.
Yes, this is a weakness, gain access to SAP-accounts with acting power and you can make a factory start order and producing tons of bullshit.

4.) "Black hats could do a LOT more harm than they have so far"
Good lord, another one of those general thoughts.
- suicide bombers certainly don't fear the death, so death penalty for suicide bombers is a bad idea.

5.) the best approach to in an insecure world is to start asking the "what can possibly go wrong" and "how can we prevent the risk" and "how can we mitigate the consequences" questions
In engineering this is called an FMEA(1) and this works for computer security too. Because it does take the human factor into account.

(1) http://en.wikipedia.org/wiki/F...

Re:What took them so long?

[WoOS]

The article tells us that "...hackers managed to access production networks..." The question is, why was this allowed?

When I was in university we wrote an optimizer in "Operations Research" for a still-mill as a practise which determined optimum cutting lengths of steel 'bars' based on customer orders.

Orders probably arrive in the office network. I can well understand people don't want to walk with a USB stick (if that would survive the environment at all) from their office to the plant to feed instructions into the industrial control units. So probably some network connection was introduced and thought to be sufficiently secured. And then the Windows on the "safe" side was never updated because it couldn't connect to the internet anyway. Wind forward 10 years and you have a Windows full of completely unimaginable holes (which are easy to exploit because Windows is the same everywhere) which is indirectly accessible from the internet.

Re:What took them so long?

[oodaloop]

I still have my slides from the 1990s

How much clip art was there?

Re:What took them so long?

[JaredOfEuropa]

Sure, information needs to be passed back and forth between the office and the plant. The first step in security is to assume that your office network is the same as "the Internet": you don't know what's on there, it is full of malware and hackers, and they are actively out to try and get you. Assume your office network fully compromised, and secure the production network accordingly.

Re:What took them so long?

[Archtech]

"This thought is so utterly flat as it is true, but it does not offer any train thought which steps to undertake to at least increase the security".

Precisely! The purpose of such statements is to focus the listener's mind on the highly unwelcome (and perhaps unfamiliar) idea that security is utterly antithetical to everything else we seek in a computer system.

Good security usually means lower performance, slower response time, greater cost, far less user-friendliness, and very noticeably less convenience in general. But if you want security, that's part of the price.

Since most people - including senior decision-makers - have little or no understanding of the issues and tradeoffs, this means that security will normally be severely neglected. So attackers have a fairly easy task and a target-rich environment. Until something really bad happens, when there is suddenly an outcry and a witch-hunt.

Re:What took them so long?

[Bob9113]

If "production networks" cannot be rendered totally secure, they should not exist. Moreover, if they do exist they should be wholly insulated from the Internet

There's always a connection to the Internet. Sometimes it is sneakernet, sometimes it uses photonic information dellivery to bio-ocular scanning device, which uses cranial data storage and processing, and meatfingers to transmit the data through an array of buttons commonly called a "keyboard"; but there is always a connection. Hacking airgapped networks (which are still networks, just with some strange hops through biochemical computers) is just another stop on the path. If we can trick a computer into accepting a "dangerous" value, we can do the same for humans. If we can train humans to reject those values, we can train computers to do the same.

Humans are just another kind of programmable machine on the network we call Earth, with different kinds of exploitable flaws. Right now we trust the machines more than we should so their security is weaker than the humans in many cases, and so the machines are the targets. But that will change though hard experience.

Not trying to contradict you, just noodling on the nature of being a node on a network.

Re: What took them so long?

[Entrope]

Sure... if.

1) If you can define the protocol to be simple enough, and
2) if you can be sure that only the intended application will process the data stream on the secure side, and
3) if you actually test that application enough to be confident it is secure, and
4) if you can ensure that sensitive information will not (improperly) leak back down the other direction, and
5) if you use it often enough to pay for that development cost, and
6) if you can resist the pressure to add features or "generality" to the protocol that makes it more costly to ensure secure processing...

then maybe such a protocol makes sense. Maybe somebody somewhere has satisfied all those ifs, but I would suspect not. For your simplified example, it is probably cheaper -- and just as secure -- to have an operator enter the dozen or so keystrokes to order "produce x amount of class y steel" than to design, build, install and support a more automated method. Human involvement has the added bonus of (nominally) intelligent oversight of the intended behavior for the day.

Re:What took them so long?

[AK+Marc]

What people fail to account for is someone willing to spend $1B to break a $1M machine. This type of insanity is ignored. But, if someone did want to break your toy, you couldn't stop them.

Step 1, they buy your $1M machine (duplicate from the manufacturer). They use it. They find the USB port. They determine the exact signature sent by it.

Step 2. They make USB drives with firmware that looks for that signature and sends different drivers if detected. So the USB drive will serve good drivers and work properly when put in a computer to load the files on. But when you put it in the industrial machine, it will not share the files, but serve up the custom-buit virus.

Step 3. Go to the plant you want to break as a visitor. Drop 10 of the USB drives (all in different colors, styles and sizes, so nobody thinks they are 10 of the same thing). Someone will grab one from the Lost and found when needed. Drop a few in the parking lot. If you are really spending $1B, then sell them too them at a good deal, as anyone using USB for a critical function will be buying USB drives often. Sell them in the stores near where the workers live.

Then wait. Someone will plug you trojan horse into the right gear eventually. Unless they manufacture their own USB drives, they will be vulnerable to this attack.

Security only exists to deter. It can never be both secure and usable.

Why would they do this?

Easy - ransom.

Now they can point to this and say 'you are next - unless you pay'

The one thing driving hacking now is monetising hacks - from crypto ware to bigger things.

Re:Why would they do this?

[Opportunist]

I have to admit, it could hardly come at a better time. Budget talks are due.

(this is me doing my happy dance)

Fundamental failure of process design

[thegarbz]

Ok everyone is going to leap into the whole world of control system, cybersecurity and what not, but I have a far deeper question.

What kind of a plant is designed in a way that a full failure of their control system would result in being unable to shutdown in a controlled manner. Where is the safety instrumented systems that can shutdown processes at a push of a button? Where are the manual overrides? Where is the big-arse power switch, and if that can't shut down the plant safely then where is the system that drops the plant to a safe state in the advent of loss of power.

This scenario to me sounds like cybersecurity was the lease of their problems.

Re:Fundamental failure of process design

[Shimbo]

Uncontrolled is not necessarily the same as unsafe. If you pull the power to a steel plant, you have have steel set in all the wrong places, and it will be a devil's own job to return the plant to working order.

Re:Fundamental failure of process design

[AmiMoJo]

You have to differentiate between a safe but damaging shut down, where there is no risk to human life, and an unsafe shutdown. You use a car analogy parts of the body work are designed to fail in a way that destroys them, but keeps the occupants of the car safe. Industrial systems are often designed on the same principals.

More over, it is very difficult to design any kind of complex machine that can never fail in a way that damages it. Even if it can be done, often it doesn't make economic sense to since the cost of a very low number of failures is likely to be lower than the cost of preventing them. Insurance is a better option, and in this case if their security had been up to scratch it wouldn't have happened in the first place.

Re: Fundamental failure of process design

Safety includes property as well as people.

When my employer was designing a land mine detector for the US government (which used a partially automatic hydraulic mount), we were explicitly required to consider and address the risks of damage to people, the system, and third-party objects/property in our safety analyses. Even in case of system faults, it was crystal clear that we were expected to avoid, or failing that minimize, collateral damage.

Of course, that didn't stop drivers from using the system to push things around, probably doing damage to both the sensors and whatever they were pushing. We didn't have input into that control process...

Re:Fundamental failure of process design

[drinkypoo]

What kind of a plant is designed in a way that a full failure of their control system would result in being unable to shutdown in a controlled manner.

Pretty much all of them. At best, you can lose a batch of something if the process fails in the middle. If Sunsweet loses power in the middle of cooking a batch of fruit paste, the batch not only fails and has to be trashed but cleaning the system is far more difficult than if the batch succeeds. At the point where factories become complex enough to need digital automation, you cannot reasonably create a failsafe mechanism which will prevent an error from losing a batch. The best you can hope for in some situations, probably most, is to create mechanical interlocks which will prevent immediately catastrophic combinations of inputs and outputs.

Re:Fundamental failure of process design

[amorsen]

That is pretty much how industry works. There is a right way to shut down a plant, and it involves a lot of things done in the right order. You can do an emergency shut down, and that will not kill anyone, but you will at minimum have to throw a lot of the stuff away that was going through the plant at the time.

Steel works are about a worst-case example of this. Lose power at the wrong time and you have no-longer-melted steel stuck in all the wrong places with no way to remove it. Removing this risk is impossible.

Re:Fundamental failure of process design

[140Mandak262Jamuna]

Where is the big-arse power switch?

It is a bloody blast furnace. They could hold anywhere between 20 and 120 tons of liquid molten iron. They are designed to hold that much of liquid metal continuously for five to 10 years. They keep adding raw materials, keep pouring batches and batches of it out. But it always 50% to 100% full of liquid metal. Once in 10 years, they drain, and essentially dismantle the lining of the furnace, and relay the refractory bricks. A three to six month process typically. I don't know the details, I am sure they have a safety pit lined with refractory bricks to drain the furnace in an emergency, like earthquakes, floods or factory fire. It is possible that process was triggered in this instance.

"very advanced"? More likely...

[Opportunist]

I'd rather not call the average attack "very advanced". I'd rather call the average security situation in the average company "very crappy".

And I have little reason to assume this being different.

Redundancy needed and not done

The problem is, these companies seem to barely afford one system let alone a backup system. They don't do the primary right, so who should expect a good backup plan? Look at Sony for example, we find open emails exposing primary passwords and users to their main system. Its like handing over a key to your house to a thief. When it comes to this German plant, what appears to have happened was no means to take the furnace control offline and manually shut it down. This is a dangerous decision that was probably made on the promise of the computer designers that the system in itself had backup systems in place. Of course they were also controlled by computers. The danger in play, is we have far too many systems totally dependent on computers, without a real logical way to over ride them.
A perfect example is your car today. If your main engine management computer fails, your car won't run. Not even badly, it just won't run. The big risk today is that for every successful hacking like a Sony, or Target, or this German steel factory. Its emboldens the hackers even more to do more damage.

Why are critical systems connected to the internet

[Bomarc]

I read this type of issue time after time.
Why are such critical systems connected to the internet... and further why are they (these critical systems) allowed to see "foreign" websites?
Start with this story: Why is there critical systems allowed to be in the same network as email? They should be physically separated - and never see the light of the www, Degrade the subject to Target, Home Depot et al, and why do their critical systems see anything (everything) on the www? At BEST the only equipment these computers should be seeing is the ONE system they need to communicate with to transfer their business.
Take it one step further: Why do banks - or email (Yahoo, Hotmail, Gmail) NOT allow me to block access from other countries (and/or identify which country I'm visiting)?
Yes, I know that they can use 'other systems' to attack (right now: someone from IP 185.14.30.79 has been using such an attack against my web server for a couple weeks: It's getting really annoying) however such attacks can also be viewed and guarded against.
Leaving the barn door open (by connecting critical systems to the www) for such attacks seems very short sighted.

English translation

[WoOS]

Translation to English to the best of my abilities:

3.3 Incidents in private enterprises
In contrast to governmental offices there is no duty up to now for private companies to report grave security incidents to the BSI.
[.... ]
3.3.1 APT attacks on plants in Germany
Issue
Targeted attack on a steal plant in Germany
Method
Using spear-phishing and advaced social engineering the attackers gained initial access to the office network of the plant. From there they gradually penetrated into the production networks.
Damage
Failures of individual control units or complete facilities occured increasingly. The failures prevented the controlled shut down of one blast furnance and brought it into an undefined state. As a result the facility sustained heavy damage.
Targets
Operators of plants
Technical capabilites
The attackers showed very advanced technical capabilities. Several different internal systems up to industrial components were compromised. The know-how of the attackers did not only cover IT-security very thoroughly but also included detailed technical knowledge on the running industrial control units and production processes.

Maybe not the only one

[WoOS]

Googling for "steel furnance shutdown" finds more reports on unexpected shutdowns this year.
Two in Ashland, Ky, and one or two somewhere in Indiana and one in Bhopal, India. Note that they all seem to have occured in June/July.

Maybe some competitor trying to up his margin by reducing supply?

Re:Why Germany? They sell anything to anyone.

[burni2]

Your numbers are not existent:

compare the numbers in steel production from germany & U.S. to for example china, US ranks No 3 germany ranks No 7, but they do play in the same league. (1)

Also if you take a look at this map(2) you will recognize China, US and Germany on all exported goods do play in the same league.

according to the table from (3) which is based on data (4)

1.) China - 1.898.600
2.) US - 1.480.646
3.) Germany - 1.473.889

Conclusion:
IRONY_ON
Yeah, it's totally transparent to me, germany does really not sell anything!
IRONY_OFF

Germany does export many things, however not much on such low level things like raw steel.

Further conclusion, divide the export numbers and the amount of population, and you will recognize the efficiency gap.

1.) China - 1.366.040.000
2.) USA - 317.238.626
3.) Germany - 80.760.000

(1) http://en.wikipedia.org/wiki/L...

(2) http://de.wikipedia.org/wiki/D...

(3) http://de.wikipedia.org/wiki/W...

(4) http://stat.wto.org/Statistica...

Re:No big red button?

[Shinobi]

"Sure. But software shouldn't be able to make hardware damage itself.

Also, designing something like a steelworks without some kind of hardware-level override is so stupid it borders on criminal."

As long as software can make the hardware do something, it can make it damage itself.

As for the damage, it was probably the emergency shutdown that caused the damage(i.e, what you incorrectly label hardware-level override), since it does a direct quick stop, without following the proper, slower and safer procedures for shutdown.

Re: No big red button?

[Archtech]

"Are you paying for them?"

Aha! And there we have the central issue, in the simplest possible terms.

It's a matter of foreseeing and predicting risk, and then defending against it in a cost-effective way. Trouble is, there are very few other domains of expertise (if that is the right word) that so glaringly expose our human weakness at estimating risk. (See Nassim Nicholas Taleb's books, passim). Typically, a token effort at assessing risk is made, and then when some entirely unforeseen disaster strikes out of left field, we mutter about "black swans". The fact is that we are not nearly as clever as we think we are, which often leads us to bite off far more than we can chew.

Another relevant saying is "the left hand knoweth not what the right hand doeth". One person or team does the risk analysis, while other - completely unknown - people pile up unseen risks, which thus cannot be defended against. Presumably the people who designed those systems had no inkling that they would be attacked by technically expert enemies who deliberately set out to do as much damage as possible. I imagine that a resolute inquiry would eventually discover who upset whom, leading to this outcome.

Re:No big red button?

[burni2]

blast furnace:

You intermix iron ore and coke (not the drug! it's processed coal)
and then you start an exothermic reaction, what you then do is process control, you blow in Oxygene to react carbon to CO2 to a certain percentage and when the steel is ready you poke a hole into the furnace and then molten steel poures out.

This is a reaction that is ongoing.

We are talking here about huge amounts of energy.

A smaller example: ever been test running inside a wind turbine of +1,5MW megawatt class, during nominal power operation ?

Push the red button and you will realize what energy is - rollercoaster ride - and how long the rotor will need to come to a full stop.

Bigger Bigger example, push the red button in a nuclear power plant, yes the control rods will react, but if you don't cool the heat from radiactive decay away, you will get a Fukushima.

I hope you are not a pro nuke, because keeping that in mind (the virtually non 100% hardware red button) you would now have ruled operators of nuclear power plants as stupid that it borders on criminal.

Also there were hardware level overrides and they worked, however if you leave the molten mass inside the furance it will solidify == damaged beyond repair

Which happend there, you have then to rebuild the furnace and beforehand have to cut the wrecked furnace open with a many ton heavy steel clump (happy cutting)

Re:Sometimes 'air gap' is impossible

[Entrope]

What compels the management to hook the control network up to the Internet? If a vendor told me that their safety-impinging product needed Internet access to run -- for a license check or for any other reason -- I would tell them to go pound sand, and I'd be happy to take my business to a competitor. If Internet access is not mandatory, you are describing "sometimes an air gap is inconvenient", not "sometimes an air gap is impossible".

Re:No big red button?

[Shinobi]

Data invariance, even if you can somehow implement it properly on a hardware level, does not protect you if it's the execution pattern that is the attack method for example.

As an example, rapid power cycling/power state change due to a program swiftly being shunted between CPU intensive and idle threads, etc can cause power surges that can damage the PSU or the motherboard or even the CPU(as voltage regulators etc move onboard, they become ever more vulnerable to this), and for all intents and purposes the data input to the program will be fully valid and unchanged. Excessive head parking on a mechanical HD can cause the HD to become faulty. Frequent standby/active cycles on monitors can kill them fairly rapidly.

As for the emergency shutdown, nowadays, with modern equipment, the big red button and the emergency shutdown button in the control program do the same thing: Send a signal to the correct circuit and halt all operation. In some heavy machinery that means just cutting all power, in others it disengages pneumatic valves and thus engaging mechanical brakes etc etc. It depends on what kind of machinery it is.

Re:Why Germany? They sell anything to anyone.

[Chris+Mattern]

I can understand attacking a plant in the US, but Europeans sell anything to anyone with the cash (and then bitch at us for being hypocrites).

No, they don't. There are currently EU trade sanctions in place against a whole lot of countries: see here. Restriction of goods seems to be mostly arms, but the list on North Korea is pretty extensive, although it apparently still doesn't include raw steel.

Re:No big red button?

[itzly]

Or... power down the Large Hadron Collider, and see what happens :) http://lhc-machine-outreach.we...

Re:No big red button?

[Shinobi]

Even with emergency shutdowns, you can still get massive damage

Re:No big red button?

[Shoten]

Sure. But software shouldn't be able to make hardware damage itself.

Also, designing something like a steelworks without some kind of hardware-level override is so stupid it borders on criminal.

This is like saying "Sure, but car's shouldn't have anything that propels them forward...that's how car crashes happen."

The sole and entire point of control systems (aka SCADA, DCS, or ICS) is to make it possible for software to control hardware. And it's impossible to make *anything* that can't be broken or cause damage if it's abused. When you factor in things like blast furnaces, substations, or other real-time applications that involve massive amounts of energy (kinetic, electrical, thermal or otherwise), you're harnessing one hell of a big thing, and that means careful balances and lots of risk. You can't have a situation where there's thousands of degrees of heat and gigantic crucibles of molten steel and yet have it impossible for something to be done wrong.

It always makes me crazy when assholes (yes, that's my word for a novice who pontificates about the "incompetence" of actual professionals without citing anything concrete or meaningful) who don't have any experience whatsoever with control systems put forth their idolized version of reality that somehow means that everything can be simple and as safe as a Fisher-Price toy, despite the fact that these environments have never been foolproof in all of human history. Trains crash, pressure vessels explode, chemicals leak, boilers beer-can, transformers flash...it's always been that way, and always will be. Control systems make them less likely to do so for accidental reasons, but also allow an attacker to force it to happen for deliberate ones. That's the trade-off, and to this day it's still a trade-off that's had a positive outcome. It makes no more sense to back out these systems than it did for banking to go back to using adding machines, just because there were cyber security incidents early on in the financial sector. The next step forward is better security for these environments, which is in the process of happening as we speak.

Re:No big red button?

[Neil+Boekend]

A nuclear reactor and a nuclear bomb are as different as cola and coffee.
If you bomb a nuclear reactor you have made a dirty bomb. Not an atom bomb. Dirty bombs are not nice but not as destructive as atom bombs.
Add to that that the fact that all nuclear reactors have massive concrete and steel walls. Those are meant to keep the radiation inside but also keep bombs outside.
I can't find it now (corporate filters) but there is a film clip of a jet fighter crashing into a reactor wall as a test. Watch it and guess if a bomb is going to damage that.