Steel Mills & Air Gaps

By now every has read that a German steel company suffered a cyber attack.  There isn’t really much to say about the attack itself.  We don’t have any good information.  How did the attackers get in, what systems were being used by the mill, etc?

Benjamin Sonntag, a software developer and digital rights activist, told Reuters: “We do not expect a nuclear power plant or steel plant to be connected to the internet.”

Power plants are regulated.  They have NERC to ensure there is at least a base level of security.  Much like PCI compliance, there are plenty of interesting interpretations of the rules for maintaining compliance that organizations use.  Metal production lacks any regulation.

I’m hoping Benjamin’s original statement was longer and the BBC cut him short.  Mills are all connected to the internet in some capacity.  For a background on the metal industry, it is in extremely rough shape and has been going through consolidation.  Mills are constantly shutting down as efficiency is gained.  Metal is a critical sector of the economy, so governments prop up manufacturers through tariffs or subsidies.

Given the organizations have limited financial resources, a strong degree of arrogance (the government needs us), and no regulations, security is extremely lax.  Most mills have a basic degree of segmentation, but there are issues.  Our argument is to segment production systems, but what does that mean?

The production network may be secure, but the process monitoring could be on the business network.  A producer is unlikely to have the people to run a process while the monitoring is down.  Sure, it theoretically can run safe, but do you really want to test that when it could lead to catastrophic results?

Much like we in the security industry are outsourcing, so are metal manufacturers.  We have our MSSPs and appliances that connect out for updates and health checks.  Production systems do the same thing.  These organizations have tunnels or direct links to various contracted companies.  How secure are these tunnels?  Target was breached via an HVAC vendor.  Most of these companies have extremely strong connections to their suppliers and customers to the point that some share the same facility.  Extracting (mining) companies, shipping companies (boat / rail / road), pre-processing, byproducts, support services, and customers may share the same plot of land for larger operations.