ThyssenKrupp said it waited to publicize the attack while it identified, then cleansed infected systems in one concerted, global action before implementing new safeguards to monitor its computer systems. “It is important not to let the intruder know that he has been discovered,” a spokesman said.
A criminal complaint was filed with police in the state of North Rhine-Westphalia and an investigation is ongoing, it said. State and federal cyber security and data protection authorities were kept informed at each stage, as well as Thyssen’s board.
Secured systems operating steel blast furnaces and power plants in Duisburg, in Germany’s industrial heartland in the Ruhr Valley, were unaffected, the company said.
No breaches were found at its marine systems unit, which produces military submarines and warships.
A previous cyber attack caused physical damage to an unidentified German steel plant and prevented the mill’s blast furnace from shutting down properly.
The shift towards automation of critical infrastructure and industry systems means that we can reduce costs of production while (in many cases) improve worker safety by keeping workers away from particularly dangerous areas of manufacturing facilities. At the same time, however, by digitizing functions that were once performed using analogue or network-disconnected systems the attack surface of these facilities increases: whereas once a human insider might have been needed, now an attacker just needs an implanted computer that is on, or can gain access to, the relevent network.
The problems linked to digitizing infastructure and manufacturing systems are not going to improve quickly: attackers are just now really starting to launch targeted attacks, and the investmentments made by companies in their equipment are not going to be just thrown out. That means that many systems and companies will likely remain exposed to possible attack for years, if not decades, barring a significant shift in security culture.