Attacks in the Digital Age: Industrial Cyberthreats

Close to 70 percent of German companies and institutes were targeted by hackers in 2016 and 2017 – and one in two attacks were successful. The trend is on the rise. Hackers are becoming ever more sophisticated, while systems are becoming more interconnected and therefore more vulnerable.

It was unique, dangerous, and for a long time, unknown. The computer worm Stuxnet began its story as the first known virtual weapon in 2010. In 2016, it gained even greater awareness after US director Alex Gibney created a film about the worm. Stuxnet stumped experts all over the world when the malware took hold of Siemens’ control system.

When disruptions to Iran’s nuclear program were detected, Iran had the highest number of affected computers, and speculation began to rise about the true aims of the attack. German control system security expert Ralph Langner helped to decrypt the code. When discussing the motivation behind the attack, he stated, “We don’t want Iran to get the bomb. Their major asset for developing nuclear weapons is the Natanz uranium enrichment facility […]. If we manage to compromise these systems that control drive speeds and valves, we can actually cause a lot of problems […]”. Stuxnet found a way into the system and sabotaged the nuclear facility. The motive behind it never officially came to light. Speculations circulated that the virus was programmed by U.S. and Israeli experts.

Figures on Cyberattacks: Unknown

A fact that rattles many businesses is that there are no recorded statistics on how often industrial plants are targeted by cybercriminals. In July 2015, a new law on IT security entered into force in Germany, making it compulsory to report any attacks on critical infrastructure. Two years later, results show an average of 34 reports received: 18 from information technology and telecommunications, 11 from the energy sector, three from water utilities, and two from the food industry – the figure of unreported cases can be assumed to be much higher. And the threat is growing.

“Automated safety solutions in industrial plants need to provide more than just emergency shutdown, but effective protection from cyberattacks, too.”
Dr. Alexander Horch,
Vice President Research, Development & Product Management at HIMA

In a report on IT security in Germany, the Federal Office for Information Security explained how the increasing level of digitization and connectivity through developments such as the Internet of Things, Industry 4.0, and “smart everything” offer cybercriminals new possibilities. Nearly every day, cybercriminals are presented with new attack surfaces and opportunities to spy on data, sabotage business processes, or become rich illegally at the expense of a third party.

Spying and Sabotage as Grounds for Cyberattacks

The Springfield Water Works in the US state of Illinois became the target of economic sabotage in November 2011. Russian hackers entered an external control system and manipulated the facility. A water pump switched itself on and off uncontrollably until it finally burned out due to overload. Employees had no chance to intervene. Hackers who do not want to gain money by using blackmail are often hired by competitors or states to harm a company. Whether this applies to the case of the Springfield Water Works, remains unclear.

Another reason for cyberattacks is industrial espionage. US security company McAfee identified that several international oil, energy, and petrochemical companies have fallen victim to hacking. With this, the hackers gained access to valuable company documents.

Businesses Fear Reputational Damage

Often, the public receives little information about the motives and consequences of attacks. For example, aerospace company EADS reported a serious attack to the federal government but remained silent about the exact background details. This is partly down to hackers becoming ever more sophisticated, using highly complex tools and hardly leaving any traces. On the other hand, hacked companies fear damage to their reputation. After all, who would want to do business with a company whose systems don’t seem secure? An international study found that 59% of computer users would break off customer relationships with a company if it experienced a case of data theft.

Attack methods are not always a result of security vulnerabilities in a company’s software. Hackers frequently use subtle ways to embed malicious software into a system. They take advantage of people’s good faith using social engineering in order to infiltrate foreign systems. Using attack methods such as phishing emails, USB sticks with infected data, messages from alleged colleagues on social networks, or calls from fraudulent service providers, hackers are able to infiltrate a company. Even the best firewall is of no use if company employees do not keep cybersecurity in mind. It was through a manipulated email to an employee that attackers were able to hack into the network of a German steelworks in 2014. Control components and whole systems failed, and a furnace could not be shut down. It caused huge damage. IT threats are constantly evolving, so cybersecurity needs to start with people.

Background info: Stuxnet

In 2010, the Stuxnet computer worm opened the world’s eyes to cyberattacks. The malware was more complex and more dangerous than any of its predecessors. Stuxnet hacked into Iran’s nuclear program and sabotaged the facility. It was immediately clear that this could not be handled in the same way as an ordinary attack. The effort involved in developing Stuxnet was enormous, and experts estimated that it would have cost millions of dollars to create. It is probable that Israeli or American organizations were behind Stuxnet, pursuing political interests. Still, the true culprits were never found.

In the years that followed, reports of cyberattacks became more frequent – and there are very few companies now that have never experienced an attack. As a rule, hackers either want to blackmail their victim for money or sabotage a facility – and they are becoming ever more adept.

Stuxnet is history, but it already has its successor: Duqu. This threat to industrial companies is in no way getting smaller – it is growing. Those who are unconcerned with IT security today may well have lost their most important data by tomorrow, or even something more significant.

“Ensuring and constantly improving cybersecurity frequently presents plant operators with challenges. Bringing safety and security experts on board is highly recommended in order to develop and implement an effective strategy.”
Heiko Schween,
Security expert at HIMA

Malicious programs have already caused huge damage to companies:

  • Slammer appeared in 2003 and quickly infected 200,000 computers, causing 1.2 billion US dollars’ worth of damage. Even a US nuclear plant was affected.
  • Code Red entered Microsoft’s systems in 2001 via a security flaw and quickly found its way to 400,000 computers. It missed its original target: The White House.
  • Mydoom affected two million computers in 2004, causing the internet to slow down by 10% and costing 38 billion US dollars’ worth of damage.
  • WannaCry took hold of 230,000 computers in 2017. Deutsche Bahn and the British National Health Service (NHS) were among those affected.