Hackers successfully took control of production software at a German steel mill in 2014. The cyber-attack caused massive damage to equipment in the plant, forcing operators to shut down production. Human error played a significant role. The now infamous attack involved a phishing campaign whereby hackers sent out targeted emails to plant staff and administrators. Once opened, these emails retrieved information like logins and passwords, allowing hackers to gain access to the plant’s network.
Phishing remains a prevalent tactic used by hackers to infiltrate network systems, and according to a new report it’s among the top threats facing industrial control systems in Germany.
As part of the report, produced by the Mechanical Engineering Industry Association (VDMA), companies were asked to identify the threats facing their industry. The companies ranked human error and sabotage at the top of the list, followed by malware downloaded from removable storage devices and external hardware, social engineering and phishing, and malware downloaded from the internet.
There are a number of scenarios that can lead to human error and sabotage. According to Germany’s Federal Office for Information Security (BSI), this includes incorrect configuration of network components, components related to security such as firewalls, or ICS components in general; the uncoordinated installation of updates or patches; side-effects from intentional actions such as damaging devices and installations or placing covert listening devices; compromising systems by unauthorized software or hardware such as games, digital cameras, smartphones or other USB devices owned by operator; and the creation of unreleased configurations for infrastructure and security components.
According to the VDMA report, 47 percent of security incidents, at those companies surveyed, were caused by random external influences such as undirected emails containing viruses. Additionally, 38 percent of incidents were caused by internal influences such as a breach of the company’s code of conduct and 26 percent were caused by targeted external influences.
The assessment of companies surveyed in the report differs from BSI’s. Earlier this year, the agency released a report detailing the top ten ICS threats. It ranks the infiltration of malware via removable media and external hardware as the top threat, followed by malware infection via internet and intranet, human error and sabotage, and compromising of extranet and cloud components.
While the reports differ, they both agree that countermeasures must be taken to address these cyber threats.
“Automation, process control, and I&C systems, all referred to by the blanket term Industrial Control Systems (ICS), are used in almost all infrastructures that handle physical processes, from power generation and distribution, to gas and water supplies, to production, traffic guidance systems, and modern building management,” says BSI. “In this fields, aspects of cyber security have been handled with low priority or even neglected for decades. Facing an increasing number of incidents and vulnerabilities, operators of such equipment have no choice but to accept this challenge now. The risk and potential for damage caused by non-targeted malware as well as by specific attacks against ICS infrastructures that are executed in a targeted manner, more competently, and with considerable effort, have to be considered in these efforts. This stands true for all infrastructures, no matter if they are directly connected to the internet or indirectly accessible by cyber attacks.”
Security breaches come at a great cost to the facilities that fall victim to them. Half of the companies surveyed in the VDMA report say they experienced financial damages as a result of a security incident. Thirty-one percent experienced production downtime and 19 percent experienced quality losses.