Physical Damage

Behaviours

Checking unknown people's details or security passes

Individuals should check the security credentials of unknown people they come into contact with in the workplace. ...

Preventing tailgating at security checkpoints

When passing through security checkpoints, people should check they are not being followed by others who do not ...

Does not share work passes

Sharing security passes even with "trusted" contacts creates risk. People should only ever use security passes ...

Escorting visitors and ensuring they follow security policies

Visitors should be escorted according to organisational policies. This reduces the risk of unauthorised access to ...

Case study

Prison Break-in

In July 2014, John Strand, an ethical hacker from BlackHills Information Security, took a new approach to penetration testing a prison: he deployed his mother.

Rita Strand posed as a health inspector with a fake badge and business card. She also had a fake “manager’s card” that gave her access to the building and allowed her to roam the prison alone. Rita connected malicious USB devices to various computers inside the facility. They gave BlackHills employees access to the prison’s systems.

There was no resistance from the prison. Believing Rita was a real Health Inspector, they allowed her to carry her cellphone and record the operation. She also entered the prison’s server rooms and its network operating centre without raising any suspicions.

This incident proves how lax cyber security measures allow people with limited technical expertise to infiltrate a company’s systems. Learning from its mistakes, the prison strengthened its security measures and required any future visitors to carry identity cards and undergo additional verification before entering the facility.

German Steel Plant

In 2014, a steel plant in Germany confirmed the second case ever of physical damage as the result of a cyber attack.

Employees at a steel plant in Germany had no idea that opening an email attachment would lead to the total shutdown of their plant and cause irreparable damage to a blast furnace.

The attack began when some employees received "spear phishing" emails from seemingly legitimate sources. The emails tricked people into opening malicious attachments.

Employees who fell for the ruse handed their login details over to criminals, who used the details to access the company’s main system and unleash chaos.

The attack first caused sections of the steel plant to fail, which led to an unscheduled shutdown and, eventually, massive damage to the plant’s blast furnace.

A report by Germany’s Federal Office for Information Security was unable to pinpoint the attackers’ motive but suggested organisations could prevent similar future attacks with real-time anti-malware protection, two-factor authentication and secure remote protocols.

Stuxnet

In early 2010, a Bularussin antivirus company discovered new malware targeting Microsoft Windows systems. The malware attacked computer-controlled high-speed motors manufactured by Siemens. It was named “Stuxnet”.

Stuxnet caused fluctuations in the speed of the Siemens’ computer-controlled motors. If allowed to continue unchecked, the out-of-control motors caused irreparable physical damage.

Following its release, Stuxnet infected over 200,000 computers and physically damaged 1,000 machines. Later investigations suggested Stuxnet was developed to disrupt the Iranian nuclear development programme.

Hostile nations develop such sophisticated malware as “cyberweapons”. This shows how cyber attacks have advanced to the level of global warfare, making cyber security critical to protect not just private but also national assets.

In response to the highly publicised incident, Siemens released a detection and removal tool for Stuxnet. It also recommended regularly updating Microsoft systems, prohibiting the use of third-party USB drives and upgrading password access codes.