A blast furnace at a German steel mill suffered "massive damage" following a cyber attack on the plant's network. Details of the incident emerged in the annual report of the German Federal Office for Information Security (BSI).
Attackers used booby-trapped emails to steal logins that gave them access to the mill's control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report.
The attackers were very skilled and used both targeted emails and social engineering techniques to infiltrate the plant. Attackers used a "spear phishing" campaign aimed at particular individuals in the company to trick people into opening messages that sought and grabbed login names and passwords. The phishing helped the hackers extract information they used to gain access to the plant's office network and then its production systems.
Once inside the steel mill's network, the "technical capabilities" of the attackers were evident, as they showed familiarity with both conventional IT security systems but also the specialized software used to oversee and administer the plant. BSI did not name the company operating the plant nor when the attack took place. In addition, it said it did not know who was behind the attack or what motivated it.
A steel plant control furnace control system should not be connected to the Internet. Every network link should be examined for possible connections. Terminals in the furnace control circuits should not be ever used for administrative and certainly not for personal purposes.
The root causes of security failures can be can be traced back to the use of reusable passwords and the ease of compromise, whether via phishing or eavesdropping or keystroke capture malware. This is a classic example of the air-gap mythology that endures in industrial control system environments. Most companies have built a critical infrastructure without concerns about cyber security when in fact they should be more concerned about damage to operations than to fear is simply losing data.
The architecture that physically separates critical control IT from everything else is mandatory.