A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever


A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever

Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it.
I’m referring to the revelation, in a German report released just before Christmas (.pdf), that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet, the sophisticated digital weapon the U.S. and Israel launched against control systems in Iran in late 2007 or early 2008 to sabotage centrifuges at a uranium enrichment plant. That attack was discovered in 2010, and since then experts have warned that it was only a matter of time before other destructive attacks would occur. Industrial control systems have been found to be rife with vulnerabilities, though they manage critical systems in the electric grid, in water treatment plants and chemical facilities and even in hospitals and financial networks. A destructive attack on systems like these could cause even more harm than at a steel plant.

It’s not clear when the attack in Germany took place. The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack—sending targeted email that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious web site where malware is downloaded to their computer. Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the production network.

Steel plants, electric plants, air control, they’re all on the hit list now.

I keep hearing people talk about “The Internet of Things”, that is where Vending Machines and other objects have internet access. Stories like this only make me wonder of the kinds of problems we will if that ever becomes common place.

I think the world will be dealing with the implications of Stuxnet for a long time, especially since it is quite out in the wild by now.


And this stuff didn’t even exist during the Y2K panic.


Yeah, I’ve never understood the attraction of “the internet of things”. So your house knows what time so turn on the heat/air conditioning, lights, order groceries, &c.
1st, this seems wide open to simple hacking & 2nd, why can’t functions like the heating/AC, lights &c be set by a simple program not connected to the internet?

I wonder how they classify damage? Or wholly digital? I remember an instance over 10 years ago about a disgruntled, former employee of a sewage treatment plant (in Australia, if I remember correctly) who caused significant flooding and damage to equipment from his laptop in his car.

The threat to systems, especially “critical infrastructure” has been recognized for over a decade. I worked for a company that spent considerable R&D effort to design equipment, provide training and do security audits of utilities and industrial facilities. And NERC is becoming more and more strict in requiring mitigation of cyber threats.

The fact this occured only twice (according to the OP), means these efforts are working.

Hey Vim71, your handle is behind the curve. 7.4 had been out for a while! :wink:

(Seriously, I love the handle. My coworkers wonder why I use VisVim is VS, and gvim for all else. They just don’t get it. Pointy-clicky kids!)

DISCLAIMER: The views and opinions expressed in these forums do not necessarily reflect those of Catholic Answers. For official apologetics resources please visit www.catholic.com.