German steel-mill cyberattack

In late 2014, a German steel mill was the target of a cyberattack when hackers successfully took control of the production software and caused significant material damage to the site. This is the second such attack to be reported after an attack targeting a uranium enrichment centrifuge in Iran in 2010. How did the hackers proceed? What were their intentions? What means of protection exist today for industrial sites? Here is an overview of this case study in cyber-security.


The attack’s operational framework

Though the BSI (the German federal agency for digital security) has not released the specific date and location of the attack, the methods of the hackers have been revealed as follows:

  • The attackers first hacked into the office software network of the industrial site ;
  • Starting from this network they then penetrated the production management software of the steel mill ;
  • From there they took over most of the plant’s control systems ;
  • Once in control, they methodically destroyed human machine interaction components. They succeeded in preventing a blast furnace from initiating its security settings in time and caused serious damage to the infrastructure.

The SANS Institute conducted an investigation into this attack and its conclusions left no doubts about the process used by the hackers to penetrate the system, which is commonly referred to as “spear phishing”. In other words, hackers send fraudulent emails seemingly coming from sources that were well-known or reliable to the recipient, which usually encourage the recipient to open an attached document or visit a website containing a malware.  In this case it was an attached file.
Once the file was opened the malware was injected into the sales software of the plant. From there, it made its way through the network while damaging numerous systems and industrial automation components.


A pivotal cyberattack

As previously stated, this cyberattack is one of the best known for having caused major damage to an industrial site and can be considered akin to another famous cyberattack referred to as Stuxnet.  Stuxnet was a very sophisticated digital weapon developed and launched by the US and Israel in 2010, which caused damage to the control system of Iranian nuclear centrifuge systems. In the case of Stuxnet though, the hackers were clearly identified. This is not the case for the cyberattack that struck the German steel mill at the end of 2014.


Who were the hackers and what was the objective of this cyberattack?

The perpetrators of the cyberattack were not clearly identified. Nonetheless the investigation reached the conclusion that the hackers had a solid knowledge of the industrial control systems, and it is almost certain that it was an experienced group of individuals and most likely could not have been caused by a single hacker.
According to Michelle Nesterenko, the head of the French research center on intelligence, significant financial means are necessary to conduct a successful cyberattack of this scale. A “genius” single hacker would be very unlikely to have successfully pulled it off. However large countries such as the US with the NSA, or Israel, Russia or China are all fully capable of setting up such an attack. Some of them have already done full-scale displays of such abilities.

The motivation of the hackers are not obvious. Nonetheless, this attack was classified as APT for Advanced Persistent Threat. Most of the past APT’s are linked to groups that were backed by sovereign states, which would tend to confirm the investigation’s initial conclusions.
One can thus wonder what the aim of such an attack really was, whether it was simply designed to cause damage to the infrastructure, or whether a financial reward was at stake. It could be argued that if indeed the hacker’s motivations were financial (to conduct industrial intelligence or disrupt production), they would have been unlikely to go as far as damaging the infrastructure. They would probably have satisfied themselves with infecting the system and gathering a maximum of information.
This line of reasoning leads the investigators of SANS to think that the attack’s aim was more of a “warning”, a “strong signal” or more simply a ransom. In any case, whoever sponsored the attack must have wanted to let the world know their capabilities for causing significant damage to sensitive and strategic industrial sites to gain some financial benefit.


A cyber-security warning to be taken seriously

What the hackers have succeeded in doing with the German steel mill must be taken seriously. If cyberattacks are now able to cause damage to infrastructure, then populations can be impacted as well. For example, an attack on an electricity production facility could cause energy supply disruptions for hundreds of thousands of people. In a similar fashion if hackers were to attack a waste management facility or a hospital consequences could become dramatic, with the threat of contamination or poisoning.
Cyber-pirates, extremists and activist groups most often act with the technical and financial support of state agencies. Some states proceed in this manner to “disrupt” an “enemy” state or impede its advances. Digital infrastructure is already the battleground of some present-day conflicts, and most certainly will be a major one in the future.


Cyberattacks vs. cyber-security

Cyber-security frameworks

Cyber-security policies are getting deployed in order to control these threats. cyberattacks target industrial sites more and more frequently, with energy-related sites (Oil and Gas, electricity, etc.) being the most popular victims. These industrial sites often have significant strategic value for governments which is why a number of cyber-security frameworks have been initiated. In France for example, the recent military program legislation is imposing security regulations on critical information providers, and new regulations have been introduced in Germany concerning critical infrastructure operators. In the US, the Cybersecurity Framework offers to all its voluntary members a global and normalized cyber-security toolbox. The objective of these global frameworks is to prevent and minimize the impact of cyberattacks and to restore industrial networks to their normal functioning state as soon as possible.
In parallel to cyber-security frameworks, a number of solutions are being developed in Europe specifically for industrial sites. Amongst other elements, these solutions include the mapping of a company’s industrial network in order to determine the best protection protocols. In case of an attack, these solutions also help to minimize impact by triggering alert systems earlier and preventing attacks from spreading. These solutions are presently available to critical industrial sites in order to protect themselves against more and more frequent cyberattacks.


The cyberattack sustained by the German steel mill opened a new era now that hackers have succeeded in causing material damage to an industrial site’s infrastructure. What used to be a rare case is now at risk of becoming more and more common. The rapid development of digital solutions and the Internet of Things is only going to increase the risk of these cyberattacks, and industrial sites are the most exposed and must make cyber-security their priority. It is to address this increasing threat that Sentryo has developed a unique cyber-security solution: ICS Cybervision.