When most of us are presented with the notion of being “hacked,” thoughts of suspicious charges on our credit card statements or spam posts on our social media often come to mind. While small scale hackers remain very real and prevalent, there are a new form of cyber criminals that have grown ambitious for much more than a debit card number.
Large, industrial corporations not only offer the opportunity for millions upon millions of dollars-more to be stolen, but they also serve as a means for serious physical damage by the hackers skilled enough to tap into the controls of a corporation’s operational systems.

In 2015, it became public knowledge that a German steel mill had gone under attack by hackers who gained access through the mill’s operational and control systems to the extent that a blast furnace was unable to be properly shut down, resulting in severe damages. Though it remains unknown when exactly or for how long the hackers had access to the steel mill’s infrastructure, the German Federal Office of Information Security revealed that the hackers used spear-phishing tactics via malicious e-mails within the mill’s business network.

Maria Krotofil, a researcher from Hamburg University of Technology, explained to Computer Weekly that one of the main motives behind hackers gaining access to these industrial networks is to successfully get what they came for through extortion.

While successful break-ins to these large networks are often associated with physical damage, Krotofil explained that extortion remains the most common motive, with efforts put toward persistent economic damage to the organization. The most common goal of the attacker is to impact the industrial production process so it affects the quality of the end product or raises operational and maintenance costs.

If these attacks aim to cause devastation in both the operations and economic state of such large organizations, why do we seldom hear about these types of cyber-crimes in the media?

“Most of these cases are not reported because if there is no compliance violation, companies are not legally required to do so, and they are usually unwilling to risk damage to the reputation of the brand by going public,” Krotofil stated.
With hackers aware of the air of secrecy, cyber intelligence professionals worry that their motives may grow to dangerous heights, possibly shifting their aim towards large machinery factories, environmental stations, and even nuclear power plants.

Getting Away Unscathed

The particularly interesting aspect of the industrial hack is how a trespasser can time their attacks to coincide with existing operations, making unusual activity appear as an employee oversight, rather than an internal technological glitch. Once entry is successfully gained into the system’s networks, Maria Krotofil emphasized that some hackers are anything but your average cyber-criminal.

Hackers must possess the necessary knowledge of what machines exist within the walls of the organization, how they operate, and especially, if the accident reports are obtained, what went wrong in the past. “They must start thinking like a control engineer, a process engineer and a chemical engineer,” Krotofil said. Being privy to pre-existing vulnerabilities allows hackers to hone in on the easiest accessible entryways into the organization’s infrastructure.

Though, just as some must possess extraordinary knowledge to invade large, heavily technical industrious organizations, this does not apply to all. In fact, the opposite can still be said for many criminals looking to steal information or gain control of operations.

The use of SCADA (supervisory control and data acquisition) within the public and private sector is rampant. Almost anywhere you go, whether it be the supermarket, mechanic, or even within the walls of your own home, a form of SCADA can be found, using both informational software and physical hardware to carry out instructions from the system’s operator.

Doug Wylie, Vice President of product marketing at security firm NexDefense reported to Security Week regarding an anonymous water treatment facility where Verizon investigated data records and uncovered malicious activity within their systems in 2015. The facility suffered from manipulations to their systems, leading to handicapped water treatment and production capabilities.

These hackers, contrary to statements like that of Maria Krotofil, were pointed out by Verizon investigators as “likely having little knowledge on how the flow control system worked – the attack could have had far more serious consequences if hackers had more time and knowledge of the targeted industrial control systems.”

Wylie emphasized that it isn’t simply the criminals’ experience in hacking, but more-so their awareness of known vulnerabilities and out-of-date technologies still in use within these organizations.

“It’s readily apparent the specific affected water utility was trapped in a past decade (or even two decades ago) in a time when they had little reason to expect their company, business operations or water control systems would ever become the desired target for a sophisticated cyber-attack,” Wylie further explained, “While it would be nice to think this particular water utility affected by the breach is unique, having unicorn-like qualities, what was found in the water utility of interest in the Verizon report is likely more typical than unusual.”