In late December, the annual German Federal Office for Information Security report revealed a disturbing cyberattack on a steel mill that resulted in “massive damage” to the foundry. This case is just one of the latest examples of Hollywood fears coming true through the Internet of Things (IoT). Through the judicious use of online translation engines, we have learned several key things about the attack, although specific details about the company and the full extent of the damage are still unknown.
According to the report, the attacker used sophisticated social engineering and spear-phishing tactics to gain initial access to the steel mill’s office network. Individual industrial control components were compromised, which prevented the blast furnace from being shut down. The technical capabilities of the attacker were very advanced, demonstrating a familiarity not only with conventional IT security, but also with the specific applied industrial control and production processes.
Although not explicitly stated, we can infer the attacker was likely an insider — or worked with an insider — or was familiar with industry-standard protocols used in the operation of the mill. Because of the jump from office network to industrial control system, we can also assume the mill’s office network had to be connected to the industrial control system. The more familiar the attacker was with this specific company’s systems, the easier that link would have been to find and exploit.
Aside from a striking similarity to any “hacker-of-the-week” television drama, this situation is reminiscent of the Stuxnet worm that was designed to attack industrial programmable logic controllers in 2010. Stuxnet reportedly compromised almost one-fifth of the nuclear centrifuges in Iran by causing them to tear themselves apart. This type of physical destruction from a cyberattack makes it the most similar case to that of the steel mill. Put a pin in the fact that the reported attack on Iran was politically, if not financially, motivated — we’ll come back to that.
This industrial targeting is not new. Last year, IBM Trusteer researchers identified a variant of the Citadel malware targeting Middle Eastern petrochemical companies. Earlier in 2014, reports emerged that the Havex remote access Trojan (RAT) was being modified by attackers to target the websites of industrial control system manufacturers and poison their software downloads. The ultimate goal was for unsuspecting clients to download the supervisory control and data acquisition (SCADA) software updates, now with bonus Havex RAT in the download package. This let attackers access the network at a later time.
Security in the Internet of Things
Amid these threats, in the latest IBM X-Force Threat Intelligence Quarterly, X-Force laid out not only IBM’s model for talking about the structure of the IoT, but also some best practices for designing systems of “things.” The following is how these practices relate to the steel mill attack:
- Perform regular penetration testing on products. Without identifying the company, we don’t know which security protocols were in place at the compromised steel mill. However, they are likely stricter now.
- Build a secure design and development practice. Logic dictates that the steel mill had to be sufficiently new or recently overhauled to have a Web interface for the industrial controls. Allow me to offer a supposition that the German government’s Industry 4.0 project has come into play in this case. Industry 4.0’s goal is to promote intelligent factory design through adaptability, resource efficiency and ergonomics. The IoT, big data and cloud computing are all motivations and components of this initiative.
- Follow industry guidance. In addition to general security best practices, there are those specific to SCADA systems and heavy industry, both globally and locally. Without knowing the company and its practices, it is difficult to ascertain how closely it adhered to industry guidance.
- Follow the Open Web Application Security Project’s Top 10 practices for the IoT. This is actually a list of the top 10 things that could go wrong with a “thing.” Any of them could apply to the steel mill industrial control, from insecure Web or cloud interfaces to insufficient security configurability. Again, the information is limited, so we can’t know for sure.
That Hollywood ‘It’ Factor
Remember that pin stuck in the reported politically motivated Stuxnet attack on Iran in 2010? Let’s talk about how that relates to the recent Sony Entertainment breach. Did attackers gain direct financial benefits from the attack on Sony’s network and release of proprietary information? Aside from any supposed payment from a sponsor to attack Sony, based on the terrorist demands, the ultimate goal seemed to be to prevent a movie release and prohibit free speech.
The following is a quick rundown of the motivations from the examples in this article:
- Politically motivated physical destruction of a country’s nuclear power generation capabilities via a worm in 2010;
- The Havex RAT targeting SCADA system manufacturers to gain control of industrial controls in 2013;
- Terrorists’ ransom demands to stop a movie being shown via a data breach in 2014;
- Physical destruction of a German steel mill for a yet-to-be-disclosed purpose in 2014.
Monetary gain is not the sole motivating factor in cyberattacks, especially through new avenues of Internet of Things ecosystems that are connecting control systems with varying levels of secure coding.