At this point, it’s obvious that cyberattacks can have devastating, far-reaching consequences. Look at the fallout from the Sony hack. But it’s still very rare for digital aggression campaigns to cause direct physical damage, which is why a recent cyberattack that screwed with a blast furnace at a German steel mill is so disturbing.
Hackers infiltrated the business network of a steel mill, then they gained enough access to cause havoc with the plant equipment, according to a report from Germany’s Federal Office for Information Security acquired by Wired:
“Failures accumulated in individual control components or entire systems,” the report notes. As a result, the plant was “unable to shut down a blast furnace in a regulated manner” which resulted in “massive damage to the system.”
The report doesn’t identify the plant or offer an explanation for why the attack took place. It did reveal that the hackers used a spear-phishing attack, which is to say they disguised a malicious email by making it look like it was sent from someone the recipient trusted. All it took to potentially destroy a plant was one haphazard click from someone not paying attention. The result sounds terrifying! Can you imagine working in the plant and discovering that you couldn’t turn off the blast furnace?
“Damn it, Siegfried!” your co-workers would yell. “TURN IT OFF!”
“Der Computer!” you shriek. “Der Computer ist ein Mörder!”
Thankfully, no one died in this attack, so der Computer ist not yet a murderer. But the implications here are bone-chilling.
Wired pinpointed this as the second cyberattack to cause confirmed physical damage, the first being Stuxnet, the sophisticated weaponised worm used to attack an Iranian nuclear plant. The parallels end there, though. Stuxnet was an enormously advanced virus uniquely suited to international cyberwarfare. The attack method wasn’t especially sophisticated or rare at the German plant. And there is no evidence whatsoever that this attack has any political motivations. It is a much smaller-scale event, and one that doesn’t smack of international cyberwarfare.
That does not make it less scary. The attackers showed advanced knowledge of industrial control systems, so it’s not like any lulz-y cadre of trolls has the skills to remotely screw with factory equipment. This does suggest that some hacker groups could readily shut down all sorts of shit. The great fear that Stuxnet engendered was the terrifying idea that every element of our digital, connected lives can be remotely broken down. Nightmares of hackers hijacking planes from a basement or shutting off power swerve closer to potential realities when incidents like this illustrate how hackers are capable of physical intrusions. And, as Wired notes, amateur iterations of Stuxnet could be far more damaging precisely because they are less sophisticated:
The incident underscores, however, what experts have been warning about in the wake of Stuxnet: although that nation-state digital weapon had been expertly designed to avoid collateral damage, not all intrusions into critical infrastructure are likely to be as careful or as well-designed as Stuxnet, so damage may occur even when the hackers never intend it.
We don’t know the motivation of the hackers in this attack. There are a lot of unanswered questions. But, as the report points out, one thing this incident makes unequivocally clear is that companies, governments, and any group vulnerable to attack (which is pretty much every group) need to separate their business networks and their production networks to make it harder for hackers to infiltrate. Whatever most of us think is a sufficient barrier is probably not. [Wired]