
Computer intrusion inflicts massive damage on German steel factory - Evolved
http://www.itworld.com/article/2861675/cyberattack-on-german-steel-factory-causes-massive-damage.html
======
joshvm
I've done some work in steel factories, though only for offline/closed systems
that have no interaction with the main control code.

Factories like this one probably operate at around 60%+ capacity, so they'll
be operating sometimes all day, sometimes all night. If you ever get the
chance to visit, do so, even if you don't really care about how steel is made.
The sheer scale of everything is amazing.

Everything is very big, very hot and if you have to hit the big red button, it
costs a _lot_ of money. Unscheduled downtime is very expensive. Steel tends to
be workable when it's hot/molten and therefore pliable. If you suddenly stop a
machine then you're left with solid steel in places you don't want it which
takes a lot of time and effort to remove.

One of the common reactions to this story is "Why didn't they hit the
emergency stop?" \- the answer is because it costs an absolute fortune to do
so.

~~~
Fuxy
The more interesting question is why is the industrial control computer
connected to the internet.

Shouldn't these things be on a separate network protected by an air gap all
the time?

Having stuff that doesn't need internet access connected to the internet is
like asking for trouble.

~~~
joshvm
That wouldn't necessarily solve the problem, if you look at what happened with
stuxnet. Getting a USB stick into a domestic steel factory probably isn't
hard.

As another commentator said, these plants are designed to be operated by
people who don't know the difference between a mouse and a keyboard. The
systems _must_ work perfectly 24/7\. I've seen the legions of machines running
XP because the legacy software runs on it and God forbid they upgrade to
Windows 8.

That said everything seemed pretty secure there, loads of IT red tape needed
to get anything on the network.

~~~
Fuxy
Well the usual solution to that is glue up the USB port or no USB stick is
allowed to enter or leave the facility.

This doesn't make it impossible to get access but it make it a hell of a lot
more difficult.

For one thing the hackers don't have direct access they need to rely on the
virus to do the dirty work and cannot do intelligence gathering on what
systems are being used that well either.

------
sqeezy
i am working in a steel plant for over 20 years now, and it is easy to bash
the security of those people.

but just some facts from my world :-)

first those plants are build for lifespans of over 30 years. general problem
is 15(normal review time) years ago no one was thinking about network security
as we thinking about it know . most businesses didn't even have a large
internal network wich did include the production and were connected to the
internet.

second you can't just shutdown this things. if you have to shutdown a blast
furnace we are talking about minimum stand time of 5-7 days. calculate about
400k to 1m € per day on standstill cost. and that is only for the blast
furnace. if the blast furnace is not running in some steel plant NOTHING will
run. (e.G. hot rolling plants)

third there is no good solution on the market. if some of your guys would look
into the software wich is sometimes running those large machines you would get
sick to your stomach. As a more security focused person in my plant just to
convince management to change the std admin passwords was a handful (well that
changed like a year or two years ago). The thing is market decides what
security is gonna be implemented. since there has now been a breach and a very
expensive one most companies i am talking to are more focused on security now.
The thing is they won't just throw away their software stack they worked on
for 30 years. and reviewing software is hard and time consuming. so it will be
interesting how this is developing.

and no i am not working in that plant ... :-)

and sorry for the bad english

~~~
nightcracker
You can make your English look a lot better by starting every sentence with a
capital letter, and capitalizing the word "i".

~~~
rab_oof
Spelling feedback is bike-shedding. The content is fine.

~~~
niels_olson
It's an interesting case of misplaced good intentions though. Here's someone
with good intentions providing direct, actionable feedback. And getting
negative feedback. It's how the system is supposed to work, but I hope a lot
folks realize their well-intentioned comment that gets downvoted might well be
getting downvoted for similar reasons: your good intentions are misplaced.

------
ArchD
I never understand why people need to connect industrial plants to the
Internet. Do they actually need to control them over the Internet instead of
on-site?

And, if they need to use the Internet on-site, can't they make an air gap and
segregate the computers that can access the Internet from computers that can
access the plant machinery?

~~~
ArchD
OK, granted they may want to monitor the plant remotely. Then they could have
a plant-connected machine dump UDP monitoring packets to an Internet-connected
machine, and have the plant-connected machine block all incoming packets from
the Internet-connected machine.

~~~
gear54rus
It seems that there are many ways this could be done right (and does not seem
a particularly hard challenge), it's just that people in charge probably were
pretty much inept at that task.

You know how it is, no one cared about it until it happened. It just wasn't a
priority.

~~~
spacecowboy_lon
I get the impression from dealing with german companies that they tend to be
very good at traditional "engineering" but when it comes to it/computers they
are 10 or 15 years behind.

I also think that in germany its considred that the good engineers and
asociate profesionalas want go and work for firms like Audi.

~~~
fidotron
It's not just Germans. Anyone that isn't primarily in software has this
phenomenon. Mobile phone makers, for example, are a disaster, and it's only
having a whip wielded by a software company with some power over them that
prevents it becoming a complete train wreck.

In my experience the most dangerous are engineers in other domains that
learned just enough programming to get the job done but can't understand the
giant holes they've created and not run into.

~~~
spacecowboy_lon
Testify (Brother or Sister) having worked for a big telco we regarded the
mobile side as grade inflated "amatuers"

I still recall one of my colegues (working on the core IP network) being
amused that one UK mobile provider was still using NT4 in their core network.

Ill be nice and not write what we thought about the US cariers

------
Animats
The German document isn't that useful. It's just a general overview of
computer security with anecdotes, not a technical analysis of this attack.

Interestingly, there was a cooling water leak and an emergency shutdown at a
steel plant in Pakistan in October. That plant is still off line. That's
probably unrelated, though.

[http://www.newspakistan.pk/2014/10/27/pakistan-steel-
mills-r...](http://www.newspakistan.pk/2014/10/27/pakistan-steel-mills-remain-
shut-3-weeks-sign-resumption/)

------
frik
More background info about the incident:
[https://translate.google.com/translate?hl=de?sl=auto&sl=de&t...](https://translate.google.com/translate?hl=de?sl=auto&sl=de&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fmeldung%2FBSI-
Sicherheitsbericht-Erfolgreiche-Cyber-Attacke-auf-deutsches-
Stahlwerk-2498990.html)

Steel plants run for years without a shut down, so this was a large scale
incident as the had to shut it down because of major damage.

Not related to the plant in Germany in any way, just to get you an idea how
some other steel plants operate: C# WinForm based GUI control room app and
Java based server app on Windows server. The server controls the various SPS.
Several steel plants around the world were build with that software setup and
it was not designed to be connected to the internet.

~~~
spacecowboy_lon
The register has speculation that it was a Thyssen Krupp plant in Brazil I
susepct that if it had been actualy ingermany there might have been better
security.

~~~
brazzy
Nope. Just last year, Germany's biggest IT magazine ran an article about
hundreds of industrial systems having remote control UIs with insufficient
security (unencrypted login, default passwords) exposed to the internet.

~~~
spacecowboy_lon
But where they hacked?

------
dang
Url changed from [http://www.popularmechanics.com/_mobile/how-
to/blog/hackers-...](http://www.popularmechanics.com/_mobile/how-
to/blog/hackers-control-german-steel-mill-17562155), which points to this.

Edit: and also from [http://arstechnica.com/security/2014/12/computer-
intrusion-i...](http://arstechnica.com/security/2014/12/computer-intrusion-
inflicts-massive-damage-on-german-steel-factory/), which points to this.

~~~
machrider
Oddly enough, the Ars article is just a slight rephrasing that adds zero value
beyond the original article:
[http://www.itworld.com/article/2861675/cyberattack-on-
german...](http://www.itworld.com/article/2861675/cyberattack-on-german-steel-
factory-causes-massive-damage.html)

~~~
dang
Thanks! Changed.

------
afarrell
To do external monitoring, couldn't you have the computer for the plant
display the information on a screen in a particular font and then an internet-
connected computer read the video and OCR it?

------
rebootthesystem
I can't help but feel there's a rush to judgement here. If you read the
article it clearly states that the Federal Office for Information Security
(BSI) said, quoting the article:

"describing the technical skills of the attacker as “very advanced.”"

And

"not only was there evidence of a strong knowledge of IT security but also
extended know-how of the industrial control and production process."

And HN rushes to judgement to quickly blame workers who can't use a mouse and
Microsoft.

Yes, the average worker in a manufacturing plant is not a CS grad. It is the
job of engineers to develop systems that are usable by, well, the target user.

Most Heart Surgeons don't have a CS degree. And based on meeting a number of
them during the course of my business I am comfortable saying that quite a few
of them are "computer challenged". Yet, most of us would not have a problem
being on that operating table, yes, with a room full of computers, a good
number of them running MS software and with an OR team that is likely to use
the same "123456" password on everything.

In a hospital you have IT and engineers who setup an infrastructure medical
professionals can use. The same is true of steel plants. Yes, there's probably
a lot more older code in your average steel plant. I just don't think
characterizing them as IT or security morons migt be fair.

The BSI characterized the attackers as sophisticated across disciplines. Let's
not engage in senseless conjecture.

I've owned and operated a small manufacturing plant consisting mostly of what
I call "big iron" CNC equipment. Things are seldom as simple as discussions on
various fora on the 'net would like them to be. Yes, in my case I air-gapped
the plant and even individual machines and remote monitoring was done through
a separate network that had no command-and-control capabilities at all, just
sensing and reporting. There was no way to jump from the sensing network to
command-and-control of any one machine, much less the plant. Even if you were
physically at the factory this was pretty much impossible. Nobody wants a CNC
milling machine with a 30HP spindle controllable from the internet. People are
not that stupid...even if they can't use a mouse.

------
DaveSapien
This sounds like an inside job, seems too specific (and obscure) an attack.
Idle speculation, maybe a disgruntled ex-employee's offspring? Who knows.

------
ars
Anyone know what's the motivation?

People do not work that hard to destroy something without a reason. Someone
was really mad at them - ex employee maybe?

~~~
nisa
I doubt it's another steel manufacturer but who knows? Maybe someone in the
business with connections to black hats had some money to spare and said: Look
what you can get going about this cyberwar stuff everyone is talking about...

There is also this: [http://www.heise.de/security/meldung/Verwundbare-
Industriean...](http://www.heise.de/security/meldung/Verwundbare-
Industrieanlagen-Fernsteuerbares-Gotteshaus-1902245.html) (In german)

~~~
bostik
I have to admire your cynicism. To consider that this attack might have been
nothing more than a _sales demonstration_...

That's a scary thought, even as it sounds like something out of a James Bond
film script.

------
mokash
Particularly relevant for me since I'm currently reading Countdown to Zero
Day.

------
higherpurpose
Stuxnet made it "acceptable" to do this. I hope the US government recognizes
that.

~~~
s_q_b
Actually the Trans-Siberian pipeline made this acceptable, which was a cyber
attack in peacetime responsible for the largest man-made non-nuclear explosion
in history. Or the Turkish pipeline attack. Or the Enigma Machine hack.

The crucial parts of warfare systems are C4ISR: Command, Control,
Communications, Computation, Intelligence, Surveillance, and Recognizance.

Computer systems have been a target of covert ops for as long as they have
existed. What's happening now is that middle-weight nations (North Korea,
Iran) and non-state actors (Anonymous, al-Qassam) are now able to get in on
the game, which is disrupting the status quo established by the USA and USSR.

~~~
rab_oof
Unambiguous rankings of explosions is basically impossible, so claiming it was
the biggest man-made explosion in history is nonsense. This overly-bold claim
was promulgated by former Air Force secretary Thomas C. Reed.

[http://seanlinnane.blogspot.com/2014/12/largest-man-made-
non...](http://seanlinnane.blogspot.com/2014/12/largest-man-made-non-nuclear-
explosions.html?m=1)

[https://en.wikipedia.org/wiki/List_of_the_largest_artificial...](https://en.wikipedia.org/wiki/List_of_the_largest_artificial_non-
nuclear_explosions)

~~~
s_q_b
We can agree it was a pretty large fuel-air explosion caused by the failure of
SCADA software? The rest is just details.

