Kim Zetter at Wired reporting on the second known time a cyber attack has caused confirmed physical damage:
Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it.
I’m referring to the revelation, in a German report released just before Christmas (.pdf), that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet, the sophisticated digital weapon the U.S. and Israel launched against control systems in Iran in late 2007 or early 2008 to sabotage centrifuges at a uranium enrichment plant. That attack was discovered in 2010, and since then experts have warned that it was only a matter of time before other destructive attacks would occur. Industrial control systems have been found to be rife with vulnerabilities, though they manage critical systems in the electric grid, in water treatment plants and chemical facilities and even in hospitals and financial networks. A destructive attack on systems like these could cause even more harm than at a steel plant.
Industrial Control Systems security is the next frontier. This is an area ripe for abuse because of the rush to connect ICS to the internet with an utter disregard for the potential for attack. Plus, many people in the industry lack the understanding of the threat, falsely believe they are protected or just simple do not need protection.