Hackers destroy blast furnace in German steel mill

by
in security on (#2WPR)
A recent report by Germany's Federal Office for Information Security reveals that hackers caused "massive" damage to an unnamed steel mill. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down. The report doesn't name the plant or indicate when the breach occurred.

This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet, the sophisticated digital weapon the U.S. and Israel launched against control systems in Iran in 2008 to sabotage centrifuges at a uranium enrichment plant. Industrial control systems have been found to be rife with vulnerabilities, though they manage critical systems in the electric grid, in water treatment plants and chemical facilities and even in hospitals and financial networks.
Reply 8 comments

Commodity solutions for specialized tasks (Score: 1)

by bryan@pipedot.org on 2015-01-13 03:01 (#2WPS)

Part of the problem is that companies don't figure the ongoing hardware and software maintenance into their solutions. They develop the product until it works, ship it, and then ignore it. This leaves the products stuck at a fixed point in time while the rest of the technology world evolves at Moore's Law speed.

Take our office phone system for a simple example. Twenty years ago, our small office (20 employees) upgraded the phone system to the latest and greatest digital PBX. Many of the functions where designed to use a standard computer (a sub 100Mhz original Pentium). The computer/PBX interface was a full length ISA card, voice mail was stored on the IDE hard drive (still measured in megabytes), the call holding music was simply a mp3 playlist piped out to the audio card (an original Sound Blaster), while the whole thing ran Windows 95a and Microsoft Schedule+. Or, in other words, an archaic piece of crud that still has to function today.

Re: Commodity solutions for specialized tasks (Score: 1)

by fishybell@pipedot.org on 2015-01-13 05:38 (#2WPV)

Jeez, that ain't all that bad. I replaced a PBX (Intertel with Asterisk for the curious) that had a voicemail system running on OS/2 with its chassis on the floor beneath a water heater. Now that was an archaic piece of crud (or at least, somewhat caked in crud).

I Understand (Score: 1)

by venkman@pipedot.org on 2015-01-13 04:12 (#2WPT)

I understand how these control systems end up connected to the Internet. A few years ago in my process engineering job, I had the ability to VPN in and access our plant's control system. When someone calls at 2 in the morning, you don't want to come in to work to troubleshoot.

Re: I Understand (Score: 1)

by tanuki64@pipedot.org on 2015-01-13 09:14 (#2WPW)

You understand? I don't. Yes, it is understandable that no one wants to come to work at 2am t troubleshoot. But you also mentioned one solution: VPN. It is (or should be) a well known fact that embedded devices and industrial systems often suck at security. But this does not matter, if they are isolated behind a proper firewall/gateway. It may not be possible to upgrade the machinery, but the access to and from those systems should be under total control of the operating company.

Re: I Understand (Score: 1)

by evilviper@pipedot.org on 2015-01-13 21:49 (#2WPZ)

You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons. The article explains the only sure way is an air gap... With ANY internet access at all, no matter how indirect, compromise is possible. An extreme example might be a DNS exploit, where any system on the control network only tried resolving a host name... Commands can similarly be relayed and data proxied over DNS.

Actually, I'd say an air gap is overrated though... The JC Penny breach wasn't over the internet, but instead required physical proximity as they broke-in over the WiFi network. Similarly, critical control systems need to be hardened against someone connecting a device with remote access capabilities... That could be a small WiFi router hidden somewhere, a cell phone connected to the network, a dial-up modem connected to a router, etc. Any one of those leaves an air-gapped network open to exploitation from outside attackers. You could insert a WiFi chip into a non-threatening looking USB mouse, and just leave it some place such a thing might have been accidentally dropped, and watch as it eventually gets connected, giving you a backdoor to an air-gapped network.

And don't forget Stuxnet... Completely air-gapped network, with tremendous physical security and paranoia. Still got penetrated by a worm on a USB thumb drive... which is how air-gapped networks get updates into their networks.

There simply is no easy answer to the problem.

Re: I Understand (Score: 2, Interesting)

by tanuki64@pipedot.org on 2015-01-13 22:58 (#2WQ0)

You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons.
Oh yes, I know the reasons. At the very beginning of my career I worked for almost a year as system administrator for a small company. My first task? Make our net secure. We need a firewall. I did it. And then the complaints started:
"I can't do this, I can't do that. I NEED ftp, I NEED telnet.. no, ssh and scp is not enough (I don't know how it works, I don't want to learn anything new).
But...
No 'but'. You are only admin, I am very important person... Open the ports for me or go job hunting.
That's what I did.... both. No 'or'. The company does not exist anymore.So yes, security is never 100% free. You say one possible attack vector is a USB drive? I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicanery with USB boards. Hey, the sys admins are paranoid a**holes with a god complex. Security is important, but not when it interferes with real work... and who can work without music from his personal mp3 collection on USB?

Of course I cannot say for sure that something like this happened in this steel mill, but I would not be surprised a bit. For years now, the most important attack vector isn't the hard- and software anymore, but the wetware.

Re: I Understand (Score: 1)

by evilviper@pipedot.org on 2015-01-14 02:30 (#2WQ3)

I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicanery
They didn't do a very good job then. Computers are easy enough to padlock. Besides, you're obviously not talking about a secure network.

And there's nothing special about USB... ANY WAY you get data into a secure network, from the un-secured rest of the world, is an attack surface. DVD-Rs are just as vulnerable as USB thumb drives. Glue-shut all the ports you want, and you'll still need to exchange data, and however you do that will leave you open to attack.

Re: I Understand (Score: 1)

by tanuki64@pipedot.org on 2015-01-14 09:15 (#2WQ7)

They didn't do a very good job then.
It is very hard, if not impossible to do a good job if all efforts are undermined by employees. And sure, you can padlock a computer, but there are limits, what a normal private company can do.