Writing for Wired, Kim Zetter reports that a recent cyber intrusion in Germany marked the second confirmed case in which a (wholly) digital attack caused physical destruction of equipment.
“The first case, of course, was Stuxnet,” Zetter explained. “That attack was discovered in 2010 and since then experts have warned that it was only a matter of time before other destructive attacks would occur.”
Targeting a German steel mill, the attackers apparently gained access to the facility via the plant’s business network. The digital intruders subsequently forced their way into additional networks where they managed to gain control of various systems tasked with regulating plant equipment.
According to Wired, the attackers infiltrated the corporate network using a spear-phishing attack designed to establish an initial beachhead on the system. “Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a ‘multitude’ of systems, including industrial components on the production network,” Zetter continued. “Failures accumulated in individual control components or entire systems. As a result, the plant was unable to shut down a blast furnace in a regulated manner which resulted in massive damage to the system.”
As the Wired journalist notes, industrial control systems are rife with vulnerabilities – despite managing critical systems regulating the electric grid, water treatment plants, chemical facilities, hospitals and financial networks.
“A destructive attack on systems like these could cause even more harm than at a steel plant,” Zetter concluded.
Michael Mehlberg, Senior Director of Business Development for Government Solutions at the Rambus Cryptography Research division, concurs with Zetter’s assessment.
“It was just a few months ago that Navy Adm. Michael S. Rogers, the commander of U.S. Cyber Command, told Congress that industry control systems and supervisory control and data acquisition systems (aka SCADA) are ’big growth areas of vulnerability,’” said Mehlberg. “The attack against the German steel mill only highlights the urgent need for secure SCADA systems operating in various facilities and installations across the United States. Damaging a non-critical facility like a steel mill is bad enough, but disabling, even temporarily, a vulnerable SCADA system linked to the grid would be a nightmarish scenario.”
To avoid malicious such attacks, says Mehlberg, new SCADA systems should include strong hardware-based security – integrated at the very beginning of the design process.
“Protecting critical national systems from sophisticated cyber adversaries clearly requires a hardware-based security approach,” Mehlberg added. “Rather than depending on frequent software patches, system designers should make building robust hardware-based security a primary design goal.”