ThyssenKrupp Cyberattack: Protecting ICS from Advanced Persistent Threats

ThyssenKrupp Cyberattack: Protecting ICS from Advanced Persistent Threats

Today’s report of a cyberattack on German conglomerate ThyssenKrupp joins a list of high profile cyberattacks on industry where the goal has been to steal proprietary information (Dragonfly, Flame Duqu) or disrupt business operations (Shamoon).

The ThyssenKrupp cyberattack involved a highly organized and professional malicious actor gaining access to the business systems of the company where it then proceeded to conduct industrial espionage. Unlike the 2014 cyberattack on German steel mill (reported by some to be owned by ThyssenKrupp) this attack did not impact the company’s steel making blast furnaces and power plants, or its marine systems units which manufacture military ships.

The losses incurred were the value of the intellectual property that was stolen, such as manufacturing techniques and productions plans, and the costs of removing the malware from infected systems. While Industrial Control Systems (ICS) were not impacted this time, the incident is a reminder to ICS operators of the risks associated with Advanced Persistent Threats.

The Advanced Persistent Threat Was Detected “Relatively Quickly”

The cyberattack apparently infected multiple sites of ThyssenKrupp, including ones in Europe, India, Argentina and the United States as well as a specialty steel mill in western Germany.

While the attack is reported to have occurred in February 2016, it was not discovered by in-house staff until April 2016. ThyssenKrupp representatives described the discovery as “quite quick” and by the standards of malware discoveries by industrial operators, it may have been. However, measured by the standard of loss to the business, a 60-90 day infection may have been very damaging.

This type of attack is known as Advanced Persistent Threat (APT), or one where a skilled adversary:

  • infects a system
  • intrudes within in it as needed to accomplish an objective
  • achieves the objective and causes damage to the victim

Often, APT attacks take the form of sophisticated malware that infects a system, gathers data about it as well as business data, and operates stealthily over a long timeframe. Stuxnet, for example, gathered data and spread throughout networks for a few years before it executed its attack or was discovered.

The Financial Times reports that Thyssen Krupp indicated “It is virtually impossible to provide viable protection against organized, highly professional hacking attacks.” It is difficult to block APTs and overall ThyssenKrupp is to be commended for their relatively fast action and their public disclosure of the incident.

Having said that, companies need to make ongoing efforts to have high cyber resiliency, including striving to improve APT detection and response times.

What does the ThyssenKrupp Cyberattack Mean for Industrial Operators?

The ThyssenKrupp cyberattack shows that industrial entities continue to be in the cross-hairs of sophisticated and well organized hackers whose goals may be intellectual property theft, activism, or the disruption of critical infrastructure such as energy and transportation systems.

Stepping up capabilities to combat APTs, such as improving ICS visibility and speeding up malware and anomaly detection times, might just be on your list of priorities for 2017.