Ransomware may be grabbing the headlines of late, but cyberattacks can hurt companies and communities in places far worse than their wallets. In 2015, details emerged from a cyberattack that caused “massive damage” to a blast furnace at a German steel mill. This was the second-ever digital attack that caused physical harm to equipment and served as a potential harbinger of future, destructive attacks on critical infrastructure.
Details on the attack were never robust — the name of the plant and date of the attack are still unclear — but the 2015 annual report from the German Federal Office for Information Security (BSI) detailed how the attack occurred. According to the report, hackers infiltrated the German steel mill’s business network via a spear-phishing attack, a targeted, social engineering hack in which a bad actor, disguised as a trusted source, tricks a target into clicking a link that implants malware into the system. Once the attackers gained access, they crossed over into the mill’s other networks, including those that controlled plant equipment. This caused several areas to fail, and operators were unable to shut down a blast furnace properly, which resulted in the damage.
This kind of cross breach is a common problem in the age of digital transformation, where almost everything is on a network. Many organizations are still struggling to figure out who is responsible for security when it comes to operational technology (OT). Cybersecurity is typically the domain of information technology (IT) professionals, but they seldom see OT systems as their responsibility.
“In so many organizations, digital transformation and Industry 4.0 have created this integration,” said Dino Busalachi, chief technology officer at Velta Technology. “We’re way past convergence. They’ve merged. IT and OT have merged. The problem is, there has not been an owner identified for that type of environment — someone to really own it.”
It’s unknown whether the damage to the blast furnace was part of the attackers’ plan or an unintended consequence of the digital hit on the German steel mill. Regardless, the technical capabilities of the attackers were readily apparent, according to the BSI report. Not only were they able to infiltrate the company’s IT systems, but they were also familiar with industrial control systems and specialized plant software.
“The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” the report says, according to a story on Wired.com that translated it from German.
After a turbulent 2020, hackers have been ensuring 2021 is just as chaotic, launching major cyberattacks on private industry and critical infrastructure alike. According to a new report from Atlas VPN, cyberattacks have increased by 33% since last year, and the total amount of malicious attacks in Q1 went up from 538 in 2020 to 713 in 2021. The majority of the high-profile attacks, from Colonial Pipeline to JBS, have involved ransomware.
“I think those bad actors have realized that, ‘If I can shut your production down, I’m going to get paid,’” Busalachi said. “If I steal your data, nobody cares. You may build your backups up. If I get your employee data, that’s OK. With all that, nobody cares. But if I can shut your plant down and I’m holding the keys to that while you’re losing millions of dollars an hour, tens of millions of dollars a day, they’re going to get paid. [Companies] pay because they can’t handle the downtime.”
But while ransomware can have huge financial ramifications for companies and result in control systems shutdowns, this is also very much a safety issue. The attacks on Colonial and JBS appear to have hit IT networks, but they still resulted in costly shutdowns of OT systems. The breach at Colonial Pipeline, which supplies the majority of fuel to the East Coast, caused gas prices to soar and panic buying in customers, while the attack on JBS, the largest meat processor in the world, stoked fears of meat shortages and price hikes.
Still, the kind of safety threat cyberattacks can pose was probably best evidenced by the breach at the Oldsmar water treatment facility outside of Tampa Bay, Florida. There, a hacker used remote access to increase the levels of lye in the drinking water. Operators at the facility noticed the changes as they were happening and were able to curtail the attack before major damage was done, but what if a savvier hacker had breached the system?
“The government should really be thinking about how to enable these critical infrastructure companies to find some funding to actually execute on these programs because it’s not inexpensive,” said Jim Crowley, CEO of cybersecurity company Industrial Defender. “It’s a lot less expensive than if you get hit, as recent events have illustrated. But at the same time, there’s still a bit of a mindset out there of, ‘Well, it’s not going to happen to me. I’ll roll the dice.’ Or, ‘I don’t have time for that. It’s not core to the business.’ But it’s becoming core to the business, and it’s core to the country, as well. We should really be thinking about this as a national security issue and not just a Colonial Pipeline issue or a midstream issue or an oil and gas issue or an energy issue. It’s really a national security issue.”
The only digital attack that caused physical damage prior to the one on the German steel mill was Stuxnet, a sophisticated strike in 2007 or 2008 that damaged centrifuges at the Natanz nuclear facility in Iran. The U.S. Department of Homeland Security also proved this kind of physical damage was possible in 2007 with the Aurora vulnerability, where they were able to cause a diesel generator in a power grid to explode via cyber manipulation.
These incidents underscore the threat repeated attacks on critical infrastructure can pose and the need for heightened cyber hardening in the public and private sectors.