An unknown number of attackers knowledgeable in IT security and industrial control systems (ICS) processes have caused massive damage to a German steel plant in 2014. The incident has been confirmed by the Federal Office for Information Security (BSI) of the German government in an IT security report.
The attack, which appeared to specifically target operators of industrial plants, caused components of the plant controls to fail, resulting in an unregulated furnace, which then caused physical damage to the steel plant.
The individual or group responsible for the attack was able to infiltrate the system using spear phishing and social engineering techniques. These two methods are proven ways by which threat actors lure their victims using emails or social media links that appear to come from a legitimate source but can actually introduce threats for attackers to get inside the network.
A number of news reports have dubbed this the second cyber attack to ever cause physical damage since the highly sophisticated Stuxnet malware wreaked havoc to the Natanz uranium enrichment plant in Iran. However, attacks affecting real-world operations of facilities have been ongoing but may remain unreported by the affected organizations. As such, the German steel plant attack is more accurately the second since Stuxnet which had physical impact and was confirmed by a legitimate government source. A Stuxnet review in 2010 also included notes on the Slammer worm that hit a nuclear facility in Ohio and the DOWNAD/Conficker worm that caused malfunctions in a number of high-profile institutions.
“Despite several documented security issues in relation to SCADA devices, little has been achieved in the past 10 years to help secure them. SCADA deployment has consistently risen. Lack of information security implementation and advancements in SCADA technology have dramatically increased security risks worldwide with likely far-reaching consequences,” explains Trend Micro Forward-Looking Threat researcher and SCADA systems expert Kyle Wilhoit in a research paper.
Protecting your SCADA environment may seem like a daunting task. Wilhoit suggests that organizations start with the following basic configurations to improve the security of SCADA devices:
Disable Internet access to your trusted resources, if possible.
Ensure that your trusted resources have the latest updates and that new patches/fixes are monitored.
Use real-time anti-malware protection and real-time network scanning locally on trusted hosts and where applicable.
Require user name/password combinations for all systems, even those deemed “trustworthy.”
Set secure login credentials and do not rely on defaults.
Implement two-factor authentication on all trusted systems for any user account.
Disable remote protocols that are insecure.
Disable all protocols that communicate inbound to your trusted resources but are not critical to business functionality.
Utilize network segmentation to secure resources like VES systems, ICS, and SCADA devices. See a great write-up on network segmentation here.
Develop a threat modeling system for your organization. Understand who’s attacking you and why.