According to a German federal agency report, Die Lage der IT-Sicherheit in Deutschland 2014 (Situation Report on IT Security in Germany 2014), cyber criminals gained access to an iron plant and caused “massive damage to the whole system”.
The attackers were able to access the plant’s office network through a targeted malicious email, which enabled them to take over the production network. The breach resulted in a furnace being unable to shut down properly.
It is rare for a government agency to link a cyber attack to actual physical damage.
Robert Lee, co-founder at industrial control systems security firm Dragos Security LLC, commented on this recent advanced persistent threat (APT):
“The attackers had advanced know-how of not only conventional IT-security, but also detailed technical knowledge of the industrial control systems and production processes that were used in the plant.”
The industrial control systems community has stayed largely secretive for obvious legal and compliance reasons, but this is now believed to be changing as it is becoming the norm to speak more openly about cyber attacks.
Cyber attacks on critical infrastructure are a significant worry for many; recent high-profile data breaches at retailers across America have demonstrated the real extent of devastation cyber attacks can cause (loss of customer data, fines, brand damage) but we are yet to see significant physical damage from a cyber attack.
Organisations looking to increase the level of security around their information systems are encouraged to implement ISO27001, the internationally recognised cyber security best practice specification. The Standard sets out specific requirements against which an organisation’s information security management system (ISMS) can be certified. Not only does certifying to the Standard ensure your data is secure today, but also for the future. Regular audits of your ISMS mean that you keep on top of what is happening with your data and who has access to it.
Resources you may find useful:
ISO/IEC 27001 2013 (ISO27001 ISO 27001) ISMS Requirements – the official standard
An Introduction to Information Security and ISO27001 (2013) provides a brief, accurate, easy-to-read primer on information security from an acknowledged expert.
The Case for ISO 27001 (2013) Second Edition presents a compelling business case for implementing ISO27001 in order to protect your information assets.