Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberattack On German Steel Factory Causes 'Massive Damage'

Posted by Soulskill on from the social-engineering-is-the-bug-you-can't-fix dept.

An anonymous reader writes: In a rare case of an online security breach causing real-world destruction, a German steel factory has been severely damaged after its networks were compromised. "The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory's office networks, from which access to production networks was gained. ... After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant's blast furnaces could not be shut down in a controlled manner, which resulted in 'massive damage to plant,' the BSI said, describing the technical skills of the attacker as 'very advanced.'" The full report (PDF) is available in German.

14 of 212 comments (clear)

  1. yeah right by Anonymous Coward · · Score: 5, Funny

    "sophisticated social engineering techniques"

    So they got some pizza delivery before this all started.

  2. What took them so long? by Archtech · · Score: 5, Insightful

    About 20 years ago I used to lecture on the topic of computer security. Taking my cue from UK government experts whom I had met back in the 1980s, I used to point out that the only secure computer system is one that cannot be accessed by any human being. Indeed, I recall one expert who used to start his talks by picking up a brick and handing it round, before commenting, "That is our idea of a truly secure IT system. Admittedly it doesn't do very much, but no one is going to sabotage it or get secret information out of it".

    I still have my slides from the 1990s, and one of the points I always stressed while summing up was, "Black hats could do a LOT more harm than they have so far". To my mind, the question was why that hadn't happened. The obvious reason was motive: why would anyone make considerable efforts, and presumably put themselves at risk of justice or revenge, unless there was something important to gain?

    Stuxnet was the first highly visible case of large-scale industrial sabotage, and I think everyone agrees it was politically motivated - an attack by one state on another, and as such an act of war (or very close to one). This looks similar, and apparently used somewhat similar methods.

    The article tells us that "...hackers managed to access production networks..." The question is, why was this allowed? If "production networks" cannot be rendered totally secure, they should not exist. Moreover, if they do exist they should be wholly insulated from the Internet and the baleful influence of "social networks" and the people who use them.

    --
    I am sure that there are many other solipsists out there.
    1. Re:What took them so long? by WoOS · · Score: 4, Informative

      The article tells us that "...hackers managed to access production networks..." The question is, why was this allowed?

      When I was in university we wrote an optimizer in "Operations Research" for a still-mill as a practise which determined optimum cutting lengths of steel 'bars' based on customer orders.

      Orders probably arrive in the office network. I can well understand people don't want to walk with a USB stick (if that would survive the environment at all) from their office to the plant to feed instructions into the industrial control units. So probably some network connection was introduced and thought to be sufficiently secured. And then the Windows on the "safe" side was never updated because it couldn't connect to the internet anyway. Wind forward 10 years and you have a Windows full of completely unimaginable holes (which are easy to exploit because Windows is the same everywhere) which is indirectly accessible from the internet.

    2. Re:What took them so long? by JaredOfEuropa · · Score: 4, Insightful

      Sure, information needs to be passed back and forth between the office and the plant. The first step in security is to assume that your office network is the same as "the Internet": you don't know what's on there, it is full of malware and hackers, and they are actively out to try and get you. Assume your office network fully compromised, and secure the production network accordingly.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  3. Fundamental failure of process design by thegarbz · · Score: 4, Insightful

    Ok everyone is going to leap into the whole world of control system, cybersecurity and what not, but I have a far deeper question.

    What kind of a plant is designed in a way that a full failure of their control system would result in being unable to shutdown in a controlled manner. Where is the safety instrumented systems that can shutdown processes at a push of a button? Where are the manual overrides? Where is the big-arse power switch, and if that can't shut down the plant safely then where is the system that drops the plant to a safe state in the advent of loss of power.

    This scenario to me sounds like cybersecurity was the lease of their problems.

    1. Re:Fundamental failure of process design by Shimbo · · Score: 4, Insightful

      Uncontrolled is not necessarily the same as unsafe. If you pull the power to a steel plant, you have have steel set in all the wrong places, and it will be a devil's own job to return the plant to working order.

    2. Re:Fundamental failure of process design by drinkypoo · · Score: 5, Informative

      What kind of a plant is designed in a way that a full failure of their control system would result in being unable to shutdown in a controlled manner.

      Pretty much all of them. At best, you can lose a batch of something if the process fails in the middle. If Sunsweet loses power in the middle of cooking a batch of fruit paste, the batch not only fails and has to be trashed but cleaning the system is far more difficult than if the batch succeeds. At the point where factories become complex enough to need digital automation, you cannot reasonably create a failsafe mechanism which will prevent an error from losing a batch. The best you can hope for in some situations, probably most, is to create mechanical interlocks which will prevent immediately catastrophic combinations of inputs and outputs.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Fundamental failure of process design by amorsen · · Score: 4, Informative

      That is pretty much how industry works. There is a right way to shut down a plant, and it involves a lot of things done in the right order. You can do an emergency shut down, and that will not kill anyone, but you will at minimum have to throw a lot of the stuff away that was going through the plant at the time.

      Steel works are about a worst-case example of this. Lose power at the wrong time and you have no-longer-melted steel stuck in all the wrong places with no way to remove it. Removing this risk is impossible.

      --
      Finally! A year of moderation! Ready for 2019?
    4. Re:Fundamental failure of process design by 140Mandak262Jamuna · · Score: 5, Informative

      Where is the big-arse power switch?

      It is a bloody blast furnace. They could hold anywhere between 20 and 120 tons of liquid molten iron. They are designed to hold that much of liquid metal continuously for five to 10 years. They keep adding raw materials, keep pouring batches and batches of it out. But it always 50% to 100% full of liquid metal. Once in 10 years, they drain, and essentially dismantle the lining of the furnace, and relay the refractory bricks. A three to six month process typically. I don't know the details, I am sure they have a safety pit lined with refractory bricks to drain the furnace in an emergency, like earthquakes, floods or factory fire. It is possible that process was triggered in this instance.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  4. English translation by WoOS · · Score: 4, Informative

    Translation to English to the best of my abilities:

    3.3 Incidents in private enterprises
    In contrast to governmental offices there is no duty up to now for private companies to report grave security incidents to the BSI.
    [.... ]
    3.3.1 APT attacks on plants in Germany
    Issue
    Targeted attack on a steal plant in Germany
    Method
    Using spear-phishing and advaced social engineering the attackers gained initial access to the office network of the plant. From there they gradually penetrated into the production networks.
    Damage
    Failures of individual control units or complete facilities occured increasingly. The failures prevented the controlled shut down of one blast furnance and brought it into an undefined state. As a result the facility sustained heavy damage.
    Targets
    Operators of plants
    Technical capabilites
    The attackers showed very advanced technical capabilities. Several different internal systems up to industrial components were compromised. The know-how of the attackers did not only cover IT-security very thoroughly but also included detailed technical knowledge on the running industrial control units and production processes.

  5. Maybe not the only one by WoOS · · Score: 5, Interesting

    Googling for "steel furnance shutdown" finds more reports on unexpected shutdowns this year.
    Two in Ashland, Ky, and one or two somewhere in Indiana and one in Bhopal, India. Note that they all seem to have occured in June/July.

    Maybe some competitor trying to up his margin by reducing supply?

  6. Re: No big red button? by Archtech · · Score: 4, Insightful

    "Are you paying for them?"

    Aha! And there we have the central issue, in the simplest possible terms.

    It's a matter of foreseeing and predicting risk, and then defending against it in a cost-effective way. Trouble is, there are very few other domains of expertise (if that is the right word) that so glaringly expose our human weakness at estimating risk. (See Nassim Nicholas Taleb's books, passim). Typically, a token effort at assessing risk is made, and then when some entirely unforeseen disaster strikes out of left field, we mutter about "black swans". The fact is that we are not nearly as clever as we think we are, which often leads us to bite off far more than we can chew.

    Another relevant saying is "the left hand knoweth not what the right hand doeth". One person or team does the risk analysis, while other - completely unknown - people pile up unseen risks, which thus cannot be defended against. Presumably the people who designed those systems had no inkling that they would be attacked by technically expert enemies who deliberately set out to do as much damage as possible. I imagine that a resolute inquiry would eventually discover who upset whom, leading to this outcome.

    --
    I am sure that there are many other solipsists out there.
  7. Re:No big red button? by burni2 · · Score: 5, Informative

    blast furnace:

    You intermix iron ore and coke (not the drug! it's processed coal)
    and then you start an exothermic reaction, what you then do is process control, you blow in Oxygene to react carbon to CO2 to a certain percentage and when the steel is ready you poke a hole into the furnace and then molten steel poures out.

    This is a reaction that is ongoing.

    We are talking here about huge amounts of energy.

    A smaller example: ever been test running inside a wind turbine of +1,5MW megawatt class, during nominal power operation ?

    Push the red button and you will realize what energy is - rollercoaster ride - and how long the rotor will need to come to a full stop.

    Bigger Bigger example, push the red button in a nuclear power plant, yes the control rods will react, but if you don't cool the heat from radiactive decay away, you will get a Fukushima.

    I hope you are not a pro nuke, because keeping that in mind (the virtually non 100% hardware red button) you would now have ruled operators of nuclear power plants as stupid that it borders on criminal.

    Also there were hardware level overrides and they worked, however if you leave the molten mass inside the furance it will solidify == damaged beyond repair

    Which happend there, you have then to rebuild the furnace and beforehand have to cut the wrecked furnace open with a many ton heavy steel clump (happy cutting)

  8. Re:No big red button? by Shinobi · · Score: 4, Informative

    Data invariance, even if you can somehow implement it properly on a hardware level, does not protect you if it's the execution pattern that is the attack method for example.

    As an example, rapid power cycling/power state change due to a program swiftly being shunted between CPU intensive and idle threads, etc can cause power surges that can damage the PSU or the motherboard or even the CPU(as voltage regulators etc move onboard, they become ever more vulnerable to this), and for all intents and purposes the data input to the program will be fully valid and unchanged. Excessive head parking on a mechanical HD can cause the HD to become faulty. Frequent standby/active cycles on monitors can kill them fairly rapidly.

    As for the emergency shutdown, nowadays, with modern equipment, the big red button and the emergency shutdown button in the control program do the same thing: Send a signal to the correct circuit and halt all operation. In some heavy machinery that means just cutting all power, in others it disengages pneumatic valves and thus engaging mechanical brakes etc etc. It depends on what kind of machinery it is.