January 14, 2015 By Pamela Cobb 3 min read

In late December, the annual German Federal Office for Information Security report revealed a disturbing cyberattack on a steel mill that resulted in “massive damage” to the foundry. This case is just one of the latest examples of Hollywood fears coming true through the Internet of Things (IoT). Through the judicious use of online translation engines, we have learned several key things about the attack, although specific details about the company and the full extent of the damage are still unknown.

According to the report, the attacker used sophisticated social engineering and spear-phishing tactics to gain initial access to the steel mill’s office network. Individual industrial control components were compromised, which prevented the blast furnace from being shut down. The technical capabilities of the attacker were very advanced, demonstrating a familiarity not only with conventional IT security, but also with the specific applied industrial control and production processes.

Although not explicitly stated, we can infer the attacker was likely an insider — or worked with an insider — or was familiar with industry-standard protocols used in the operation of the mill. Because of the jump from office network to industrial control system, we can also assume the mill’s office network had to be connected to the industrial control system. The more familiar the attacker was with this specific company’s systems, the easier that link would have been to find and exploit.

Industrial Targeting

Aside from a striking similarity to any “hacker-of-the-week” television drama, this situation is reminiscent of the Stuxnet worm that was designed to attack industrial programmable logic controllers in 2010. Stuxnet reportedly compromised almost one-fifth of the nuclear centrifuges in Iran by causing them to tear themselves apart. This type of physical destruction from a cyberattack makes it the most similar case to that of the steel mill. Put a pin in the fact that the reported attack on Iran was politically, if not financially, motivated — we’ll come back to that.

This industrial targeting is not new. Last year, IBM Trusteer researchers identified a variant of the Citadel malware targeting Middle Eastern petrochemical companies. Earlier in 2014, reports emerged that the Havex remote access Trojan (RAT) was being modified by attackers to target the websites of industrial control system manufacturers and poison their software downloads. The ultimate goal was for unsuspecting clients to download the supervisory control and data acquisition (SCADA) software updates, now with bonus Havex RAT in the download package. This let attackers access the network at a later time.

Security in the Internet of Things

Amid these threats, in the latest IBM X-Force Threat Intelligence Quarterly, X-Force laid out not only IBM’s model for talking about the structure of the IoT, but also some best practices for designing systems of “things.” The following is how these practices relate to the steel mill attack:

  • Perform regular penetration testing on products. Without identifying the company, we don’t know which security protocols were in place at the compromised steel mill. However, they are likely stricter now.
  • Build a secure design and development practice. Logic dictates that the steel mill had to be sufficiently new or recently overhauled to have a Web interface for the industrial controls. Allow me to offer a supposition that the German government’s Industry 4.0 project has come into play in this case. Industry 4.0’s goal is to promote intelligent factory design through adaptability, resource efficiency and ergonomics. The IoT, big data and cloud computing are all motivations and components of this initiative.
  • Follow industry guidance. In addition to general security best practices, there are those specific to SCADA systems and heavy industry, both globally and locally. Without knowing the company and its practices, it is difficult to ascertain how closely it adhered to industry guidance.
  • Follow the Open Web Application Security Project’s Top 10 practices for the IoT. This is actually a list of the top 10 things that could go wrong with a “thing.” Any of them could apply to the steel mill industrial control, from insecure Web or cloud interfaces to insufficient security configurability. Again, the information is limited, so we can’t know for sure.

That Hollywood ‘It’ Factor

Remember that pin stuck in the reported politically motivated Stuxnet attack on Iran in 2010? Let’s talk about how that relates to the recent Sony Entertainment breach. Did attackers gain direct financial benefits from the attack on Sony’s network and release of proprietary information? Aside from any supposed payment from a sponsor to attack Sony, based on the terrorist demands, the ultimate goal seemed to be to prevent a movie release and prohibit free speech.

The following is a quick rundown of the motivations from the examples in this article:

  • Politically motivated physical destruction of a country’s nuclear power generation capabilities via a worm in 2010;
  • The Havex RAT targeting SCADA system manufacturers to gain control of industrial controls in 2013;
  • Terrorists’ ransom demands to stop a movie being shown via a data breach in 2014;
  • Physical destruction of a German steel mill for a yet-to-be-disclosed purpose in 2014.

Monetary gain is not the sole motivating factor in cyberattacks, especially through new avenues of Internet of Things ecosystems that are connecting control systems with varying levels of secure coding.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today