Introduction 

It is widely perceived that cyber-crime and cyber-attacks happen in cyberspace and that their effects remain in cyberspace. However, recent attacks on industrial production facilities are proof that this is no longer the case.

While in the mainstream IT/IS arena, computer security is well understood, managed and implemented, this is not necessarily the case when it comes to a wide variety of computer-controlled industrial equipment. Issues such as lack of security and various legacy systems that are connected to unsecured networks seem to be the norm in manufacturing. The root cause of this is that the lifetime of industrial plant equipment is usually far longer than the lifetime of the office-based equipment, and therefore it tends to lag behind in terms of security.  Also the cost of re-tooling the plant is expensive and not cost effective.  Also, most legacy industrial control systems have not been built with security in mind, but rather the drivers have been resilience and cost effectiveness.  A bit like the NHS I.T systems where value for money option is the cheapest to go for. As the number of cyber-attacks and their diversity is on the increase, this needs to change. The developed countries’ economies depend hugely on their infrastructure and industries, which are in turn dependent on industrial control systems for their operation, and therefore it is crucial that the security features of these control systems catches up with the security features of the mainstream computing systems.

Useful definitions

Airgap computer networks – physically isolate computer networks. This could be applicable in a production environment where the production computer network is not connected to the corporate network (which is typically connected to the internet), in order to increase security.

Industrial control system – a control system used in industrial production. Such systems include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other smaller control systems, e.g. programmable logic controllers (PLC). The systems are found in industrial plants and critical infrastructure.

Malware – a piece of software that has been designed with a malicious purpose in mind. The effects of malware can be the disruption of computer operation, the gathering of sensitive information, gaining access to computer systems, etc.

Phishing – a popular method used by cyber-criminals that attempts to acquire information such as usernames, passwords and other personal details by impersonating a trustworthy entity in an electronic communication.

Production computer network – an industrial computer network whose purpose is to connect the various computer-controlled industrial equipment found on a production plant.

Spearphishing – directed phishing attempts at specific individuals or companies. Attackers will likely gather personal information about their intended target to increase their probability of success.

ZIMBARCO STEELS: Mr Patel’s day at the office…….

This case study is based on a real attack on a steel plant that caused significant damage to the company that became a victim of a spearphishing attack.   The name of the person and the company have been changed to prevent the true identity being revealed.

Zimbarco Steels is a company that specializes in the production of cast steel products. They operate a number of high-capacity blast furnaces that have standard industry computer-controlled systems, which are connected to the company’s production computer network. The production network is connected to the wider corporate network which, as it is ubiquitously the case today, is connected to the internet to ensure the data and information flows necessary for the running of the day-to-day activities of the company.

Mr Patel is one of Zimbarco’s Steel’s employees that work in the Human Resources department and every day, when he comes into the office, he makes his usual cup of tea and turns on his computer in order to deal with his email queue. As he goes through his emails he notices an email from his bank which asks him to login into his online bank account and to check his current account balance as there has been an unauthorized transfer of money from this recently. Mr Patel clicks on the link provided and tries to log into his bank account. The first attempt fails, he tries unsuccessfully one more time and is about to ring his bank when, at 9.30, he gets a phone call from his manager asking him for an emergency meeting as they need to discuss an upcoming grievance case. He closes his emails thinking that he’ll talk to his bank later on in the day, after the meeting with his manager.

Mr Patel’s office is located in the office building of his local site, in fairly close proximity to one of the blast furnaces that produces high-grade alloy steels for one of their customers.

At 10.45, the site alarm starts ringing – this is signalling that there is a general emergency on the site and that all employees must evacuate to their designated emergency assembly areas. Mr Patel and his manager go to their designated emergency assembly site where they meet with one of their friends, Mr Jones. Mr Jones works in the blast furnace that is closest to Mr Patel’s building and tells them that there is a major emergency going on at the blast furnace – the furnace could not be shut down after the normal steel production cycle. As they all wait to see what happens, the health and safety staff tell them that the emergency is likely to continue for some time and that they need to evacuate the company’s site all together. In the event they have to go home for the day, as no more productive work could be done.

When Mr Patel comes back to work the next day, he finds in his inbox an all-staff email that explains what happened during the previous day – a piece of computer malware affected a number of industrial control systems (that were operating the blast furnace); these were compromised and a major control system failure became apparent leading to loss of blast furnace control. This failure led to an unscheduled shutdown of the said blast furnace, causing extensive damage and loss of production. It is expected that the affected furnace will be out of action for at least two weeks, as repair works to the heavy industrial equipment will be carried out.

Mr Patel calls his bank later on that day to follow up on the previous day’s email, but they tell him that they do not send such emails to customers. Mr Patel deletes the email that asked him to check his bank account and soon forgets about the whole thing; after all he has now got to catch up on the work that he could not do on the previous day.

Mr Patel keeps an eye on the news (the Zimbarco Steels incident makes the national news) in the coming days to see whether any similar industrial facilities have been affected, but nothing appears in the headlines for the next few weeks.

Questions

  1. Explain and discuss the cyber-attack mechanism that led to the unexpected shutdown of the blast furnace at Zimbarco Steels.
  2. Following a digital forensic investigation, it was confirmed that Mr Patel’s computer was the source of a piece of malware that propagated through the Zimbarco Steels’ network. What actions should the company take in relation to the Mr Patel’s situation?
  3. Identify and discuss the steps that Zimbarco Steels will need to take in order to secure their systems and minimize the likelihood of such attacks occurring in the future.
  4. Following the cyber-attack Zimbarco Steels need to deal with one of their customers who will not now get their cast steel products on time. How would you advise the company to deal with this situation?

Answers

1 Explain and discuss the cyber-attack mechanism that led to the unexpected shutdown of the blast furnace at Quality Steels.

What happened here is the result of a phishing or spearphishing attack. Mr Patel received the email that was supposed be from his bank. Upon clicking on the link given in that email, an unknown, stealthy piece of malware was downloaded onto his computer. The malware was designed to propagate itself across computer networks and as such it started to do just that on the company’s corporate network, then on the company’s production network. One of the payloads of the malware was obviously targeting industrial control systems, as the blast furnace control system was infected and malfunctioned, leading to catastrophic consequences. Two notable aspects of this attack are the speed with which the malware was able to propagate through the company’s systems and its ability to infect industrial control systems. The latter feature is not commonly found in malware and it is a recent development. It is unclear what the purpose of the attackers was here – speculating, it could be assumed that they have targeted Zimbarco Steels in particular, as no other similar attacks were reported around the same time. The cost to the company of this attack would be substantial and it would have several distinct components – loss of production, cost of repairs, costs related to the investigation of what happened, possible costs associated with serious injuries or death following the blast furnace incident, etc.  All designed to cause mayhem and catastrophe for the company.

 

2 Following a digital forensic investigation, it was confirmed that Mr Patel’s computer was the source of a piece of malware that propagated through the Zimbarco Steels’ network. What actions should the company take in relation to the Mr Patel situation?

The actions of Mr Patel are indicative of a lack of training and awareness in relation to best practice in the area of computer security. The first steps to take would be to make sure that Mr Patel is aware of the company’s computer security policy (hopefully this exists!) and that he is provided with up-to-date computer security training. It is likely that many other employees will have done the same thing as Mr Patel – Zimbarco Steels should make sure that appropriate communications are put in place that will reach all of their employees. Training for other employees is advisable; as the company seems to have been targeted specifically, it may be that they will be under attack again in the near future.  This could finish the company or it results in a take-over by one of its close competitor.  Happy days you may say?

Mr Patel’s computer and emails will need analysis in order to try and ascertain the extent of the malware infection. It may be possible to trace the source of the malware via the analysis of his emails. However, this is likely to be an expensive and time-consuming exercise, and Zimbarco Steels may not be willing to pursue this avenue. Given the nature and the magnitude of this attack, a security information management specialist should be contacted and asked for assistance. The local police do not have the resources to dwell into this type of incident.  Blame the former Home Secretary Teresa May MP for cutting back on our police numbers since 2010!

3 Identify and discuss the steps that Zimbarco Steels will need to take in order to secure their systems and minimize the likelihood of such attacks occurring in the future.

The first thing that the company should look at is the physical separation between their corporate and production computer networks – so-called ‘airgap’ – while making sure that the production computer network is not connected to the internet.

Is it possible/feasible/economical to update their industrial control systems? This is not a trivial exercise; it is likely to take time and cost significant amounts of money. It is best done by building it into the schedule of production-line updates/upgrades of equipment, though this is likely to result in quite long times spent in replacing the systems.  A lean system of manufacturing can help in reducing waste, inefficiency and replacing out dated equipment.

A revision of the company’s computer security policy and procedures is needed, with an emphasis on the security gaps that exist around the company’s industrial production systems. The implementation and monitoring of the new procedures is essential.  Commitment from senior management is essential for the rest of the employees to buy into this concept.

In the short term, the company needs to be particularly vigilant as they have been the victim of a targeted attack, which may be repeated. The result of the attack is likely to be the same in the short term, as it will not be possible to replace/update/change the company’s systems quickly.  However, a good internal accountant should advise the board of directors ways in which costs of replacing outdated systems can be offset against the company’s corporation tax.  How about not paying bonuses to the fat cats?  Or not replacing the Jaguar or Mercedes/BMW for the directors every three years?

4 Following the cyber-attack Zimbarco Steels need to deal with one of their customers who will not now get their cast steel products on time. How would you advise the company to deal with this situation

As the Zimbarco Steels incident made the national news, it is likely that their customer would have heard about the incident. The company should contact their customer straight away and explore solutions with them – it may be possible that they will accept different grades of products that exist in stock, or will be happy to re-schedule. Depending on the contractual arrangements, they may be entitled to compensation; it is best for both parties to discuss this at the earliest opportunity. All of Zimbarco Steels’ customers will be anxious as a result of this incident so Zimbarco Steels will have to go on a PR offensive to ensure that their business relationships will continue unaffected. It is important that the company explains to their customers the steps that they are taking in order to ensure that this situation will not happen again. It could be useful for Zimbarco Steels to explore with their customers a process of building in resilience to such incidents, though this could be a double-edged sword, as it could be perceived as a weakness of the production processes that they employ.