The German Federal Office for Information Security (BSI) has issued a report revealing that a sophisticated hacker was able to take control of a steel mill’s computerized production system, forcing an unscheduled shut-down that caused “massive damage” to the physical plant. By using targeted emails, known as “spear phishing,” employees were tricked into opening messages that extracted login names and passwords and transmitted that information to the hacker without detection. The hacker, in turn, used the data to gain limited control of the automated system, causing plant failures and unscheduled shutdown.
While most cyber-attacks target data, there is an increasing number of attacks on physical equipment and machinery in the industrial setting. In Iran, hundreds of uranium enrichment centrifuges were decommissioned in 2010 after they were infected by the Stuxnet worm, which caused the motors to accelerate and ultimately fail. What’s more, the International Atomic Energy Agency reported that Iran’s Natanz nuclear plant experienced a one-day power outage at approximately the same time.
All companies utilizing some level of automated or computerized machinery must develop a comprehensive cyber-security plan that covers the physical aspects of the computer network, and not simply the data that can be stolen. Once inside a company’s network, a hacker may be able to identify any number of systems to disrupt, even if the company has robust security for sensitive data. A cyber-security plan should extend beyond protecting sensitive information, and should ensure that no outside hackers will be able to gain access to any part of the company’s network.
The German Report can be found in full here.