In a rare instance of public admission by a government, the German federal agency Bundesamt für Sicherheit in der Informationstechnik (BSI) has accepted that a recent cyber attack has caused physical damage to an iron plant in the country.
Acknowledging the incident in a report called ‘the IT Security Situation in Germany in 2014,’ the agency said that the hackers gained access to the production network by targeting the iron plant’s office network through a very sophisticated spear phishing and social engineering method, as reported in The Wall Street Journal.
As the plant’s control systems were ‘compromised’, a furnace could not be shut down in the regular way and remained in an undefined condition, leading to catastrophic damage to the machinery.
The agency reported that failures became more frequent in the individual control components as well as the overall system, resulting in the blast furnace not being regulated properly.
The agency has refused to respond to a request for additional information about the company’s name or the extent of the damage.
The BIS, which prepares annual reports on the health of IT for the German government, including critical infrastructure, has tied a cyber action to actual physical destruction for the first time.
Writing about the German incident Michael Assante, industrial control systems lead for SANS Institute, a cybersecurity research and education organization said: "I know of seven other incidents that have claimed to have had a cyber-to-physical or significant process effect and a few near misses that were caught in time."
Commenting on the situation Robert M. Lee, a co-founder at industrial control systems security firm Dragos Security LLC said: "The industrial control systems community is very secretive for legal and compliance reasons."
"We’re absolutely reaching a point where it’s becoming more normal and expected to talk about these things rather than run from them."