The age of Industry 4.0 brings with it a clear trend: more and more industrial control systems (ICS) are connected to the internet. This meets the demands of the digitalized economy for dynamic and highly efficient automation processes with cross-organizational data transfer, but also makes industrial components vulnerable.

Cyber criminals benefit from the fact that some production environments date back to a time when industrial systems were regarded as isolated, offline units. As a result, security measures such as authentication, password management or access control were not absolutely necessary back then, and they were often only retrofitted in a patchy manner. In addition, components from many different manufacturers are often used in today's ICS environments, which makes transparency and monitoring of IT security more difficult. This plays into the hands of attackers if, for example, they are planning a targeted APT (Advanced Persistent Threat) attack in order to tap into data undetected and for as long as possible.

Undocumented and inadequately protected direct connections to the Internet are a fundamental security risk in the manufacturing and industrial sectors. © Airbus CyberSecurity

Industrial control systems also play a key role in critical infrastructures, or KRITIS for short. Operators of such environments include energy suppliers, waterworks, information technology and telecommunications companies as well as organizations from the healthcare, finance and insurance sectors. In view of the importance of these players for the common good, their ICS components are attractive targets for cyber criminals.

Top 5 largest industrial cyber attacks

The Federal Office for Information Security (BSI) describes such incidents in the report "The state of IT security in Germany 2016". Below you can read about the fatal consequences these attacks can have.

Power outage in Ukraine
In December 2015, hackers using BlackEnergy carried out a coordinated attack on at least three energy grid operators in Ukraine. It is suspected that spear phishing emails were used to persuade employees to open the malicious attachments. Among other things, the cyber criminals installed malware on systems with outdated software versions, deleted data on Windows systems and carried out a TDoS (Telephone Denial of Service) attack on at least one call center of the distribution network operators, which resulted in overloaded telephone lines. Around 225,000 residents were affected by a power outage lasting several hours and were unable to report the disruption by telephone.

The integration of a Security Operation Center (SOC) is advisable for long-term monitoring of the IT infrastructure. © Airbus CyberSecurity

Ransomware in the hospital
In February 2016, unknown persons introduced a ransomware Trojan into the internal network of the Lukaskrankenhaus hospital in Neuss. This caused disruptions to IT systems and impeded the treatment of patients. However, as the network was shut down immediately after the first anomalies, only a very small proportion of the data was encrypted. The hospital decided against paying a ransom and was able to restore the data using backups. Nevertheless, the costs for analyzing the attack and restoring IT operations were reported to be around one million euros.

Cyberattacks on the banking system
In the first half of 2016, incidents were reported in which unknown persons gained unauthorized access to the communication services of the Society for Worldwide Interbank Financial Telecommunication (SWIFT). The attackers used common hacking methods such as phishing or watering hole attacks. They attempted to penetrate the banking systems, siphon off authentication data for access to SWIFTNet and send messages there to initiate transfers. The successful attacks on the central bank of Bangladesh, the Ecuadorian Banco del Austro and a Ukrainian bank alone resulted in losses totaling 103 million US dollars.

ICT providers with millions of hours of downtime
Three major disruptions were reported at ICT providers during the period covered by the latest BSI situation report. A total of around 36 million user hours in the areas of telephony and Internet access were lost as a result. The most extensive disruption alone involved 27 million user hours and affected the mobile communications sector. All disruptions were caused by complications in the availability of central authentication or routing components. Probably the most well-known incident in Germany was the hacker attack on Deutsche Telekom in November 2016, which affected the internet routers of more than one million customers.

Cross-industry attack by Petya
On June 27, 2017, the Petya encryption Trojan (also known as NotPetya, ExPetr, DiskCoder.C) disabled the IT systems of numerous companies and institutions. The origin and focus of the cyberattack was in Ukraine, but it had a global impact. The ransomware is said to have been distributed via the update function of an accounting software called MeDoc, which is widely used in Ukraine.

In some cases, the attack had a massive impact on production and business processes. KRITIS operators such as a Russian oil producer, a Danish logistics company and an American pharmaceutical company were also affected.