In a blog post analyzing the BSI report, Dragos Security co-founder Robert M. Lee notes that a combination of sophisticated spear phishing and social engineering apparently gave the attackers access to the iron plant's office network.
The hackers then leveraged that access to enter the production network, from where they were able to cause damage to the facility's blast furnace.
According to Lee's translation of the BSI report, "There was an accumulation of breakdowns of individual components of the control system or of entire facilities. The system breakdowns resulted in an incident where a furnace could not be shut down in the regular way and the furnace was in an undefined condition which resulted in massive damage to the whole system."
The report also states that the hackers must have had very advanced technical skills, noting, "The attackers had advanced know-how of not only conventional IT-security, but also detailed technical knowledge of the industrial control systems and production processes that were used in the plant."
This is only the second time that physical damage to control systems has been reliably reported as the result of a cyber attack, Lee notes. "The first instance, the malware Stuxnet, caused damage to nearly 3,000 centrifuges in the Natanz facility in Iran," he writes.
Lee says there are four essential lessons to be learned from the BSI report:
- Because the attack took place over time, and involved several breakdowns of individual components, Lee writes, "monitoring the network using practices such as real-time asset identification and Network Security Monitoring may have identified the intrusion before it became an issue."
- More sharing of threat information, including case studies of cyber attacks and best practices to defend against them, is vitally needed in the industrial control system community.
- Because the original infection point for the attack was in the office network, connections to production networks need to be minimized and monitored as much as possible. "Connected corporate networks are high on the list for likely targets and should be treated as an extension of the ICS for the purpose of monitoring and security," Lee writes.
- Even if the control system you're monitoring isn't deemed to be critical infrastructure, it needs to be protected. "Knowing who to contact, who to involve, and what plan to follow are vital," Lee writes. "In incident response, preparation ahead of time is the key."
Discussing the attack, IOActive futurologist David Lacey told SC Magazine that the process industry has always been reluctant to invest in expensive security measures. "And there are numerous ways to damage a plant," he said. "In fact the bigger they are, the easier they are to blow up. You can generate massive surges in big plants and heavy equipment doesn't like to do things it wasn't designed to do."
"Rogue instructions can generate spectacular breaks," Lacey added.