BSI (Federal Office for Information Security) published “IT Security Report 2014” (in German), a document with 40 pages of information and reports on cyber security.
Probably the most interesting parts of the reports are those in Chapter 3.3 – Security Incidents in the industry.
3.3.1 reports about an APT (Advanced Persistent Threat) attack on a steel factory in Germany. The attack was, as usual, conducted via spear-phishing and social engineering targeting the office employees of the steel factory. Check out this link to see the 28 steel factories in Germany (I can’t guarantee that the number is correct). After the office network was penetrated and malware was running on the computers inside the company network, the attackers went a step further and infected successively computers in the factories. What happened next is a matter which can be truly understood by security experts in ICS/ACS. If you don’t know what it means, read further.
Industrial Control Systems (ICS) are those systems that control entire systems in factories, consisting in computers, and devices that belong to the production – in this case, furnaces and their control systems.
BSI mentions that the malware attack on the CS of the furnace produced “massive damages to the devices”. Useless to mention that the costs of such devices are in the 7 zeros area.
In order to do such a damage, it is not simply to know a lot of Windows systems. Yes, all started by infecting the computers in the office, but after that, things get complicated. Usually, those computers don’t run Windows, but some special real time operating systems like QNX, OSE or VxWorks. Not an easy task to write code for these… But writing code is not the biggest problem here, the complex part is to know how to control those industrial devices. For a furnace, to know how to control it requires special knowledge which can’t be just read in some books.
This is a case of industrial sabotage. Who would be interested in doing such a thing?
Competition? Only if it is coming from far east ;).
Other governments ? Maybe…
How to protect ICS from such attacks?
This is definitely not a topic to address in a simple blog post.
Basic things like training employees definitely help.
But, the most critical part is to not allow anyone from interior to connect to just any IP address in the Internet. NIPS (Network Intrusion Prevention System) software can help here, but simply blocking access to locations (IPs and domains) which don’t have a high reputation would be a simple step forward.
And, of course, use an antivirus and a patch management solution!
Some companies still think that an attack is happening either on computers, or on servers or on the network level. Their security measures are formed around these three concepts and are usually different teams/persons that deal with them.
The thing is that an attack, as can be seen in this case, is an and combination: clients and servers and network.
Of course, there are two other factors which need to be added to this equation: humans and vulnerable software.
If humans would know how to detect a spear-phishing attack or know that they should not click on any link or start any program they get their hands on, things would be much easier. Vulnerable software is becoming surely the most preferred attack vector because it is the easiest way to get in the companies. So, patch your systems !
How does the industry deal with these events?
I know personally for sure that this is a serious topic in the boards of many (if not in all) companies that are active in the industry. I can’t give details, of course, but a lot of money is being spent on making sure that :
- such attacks are blocked
if the network is penetrated, restrict the area which can be reached
the damage is kept to a minimum
the company’s board is aware of such an incident
© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch