From Stuxnet to Industroyer: The Biggest Hacks in the History of the Industrial IoT

From Stuxnet to Industroyer, here’s what history’s biggest IIoT hacks can teach us about cybersecurity in the Industrial Internet of Things.

Because the Industrial Internet of Things (IIoT) holds such great potential, industrial enterprises have often found themselves implementing new technologies faster than they can adequately secure them. Needless to say, hackers have seized on this fast-moving arena in the hopes of infiltrating vulnerable industrial IoT devices and gaining access to ever-more valuable stores of proprietary data. In the past decade, IIoT cyberattacks have been growing in number and in scale. Here’s a list of the top biggest five attacks in IIoT history:

1. Stuxnet

Stuxnet is considered the world’s first ever cyberweapon. It emerged in 2010 and is infamous for its role in eviscerating (albeit temporarily) Iran’s nuclear program — an event considered to be the first act of international cyber warfare.

Stuxnet works by targeting programmable logic controllers (PLCs) — industrial digital computers used for manufacturing purposes. In this case, there was one specific PLC target — the computers controlling Iran’s nuclear program. The goal of Stuxnet was to disrupt the PLCs responsible for managing the uranium enrichment centrifuges and cause them to spin out of control to the point of destruction. Destroying these centrifuges significantly set back Iran’s nuclear program. Although no country ever formally claimed responsibility for Stuxnet’s deployment, many speculate that it was a joint American-Israeli endeavor.

Stuxnet was unlike any threat that had come before it because it didn’t just exfiltrate information from devices and networks — it wreaked havoc on the physical equipment those computers controlled. Thus, it is considered the first ever major IIoT hack.

2. Industroyer

Industroyer, often referred to as Crashoverride, is the first ever known malware specifically designed to attack electrical grids. It is known for its role in the cyberattack on Ukraine’s power grid in December 2016, which disrupted over 20% of Kiev’s population.

What made Industroyer such an effective malware technology was its ability to leverage an affected industrial control systems’ (ICS) protocol against itself. In Kiev, this usurped operators’ ability to automate mechanisms over their grids. Luckily, there’s nothing to indicate that Industroyer could impact US infrastructure, since the ICS protocols Industroyer is designed to attack are not used in our power grids.

3. The German Steel Mill Attack

In 2014, a cyber attack led to an explosion in a German Steel Mill, causing significant physical damage. The attack was led by hackers who utilized spear phishing to retrieve sensitive information that gave them unauthorized access to the mill’s corporate network. From there, they were able to gain access to the plant’s network where they deployed software to destroy machine interaction components. This blocked a blast furnace from initiating its security settings, thus causing an explosion with serious damage to the infrastructure of the mill — an event that was not (but easily could have been) deadly.

The German steel mill attack was particularly notable because it demonstrated that hacking groups have the capability to pivot from higher-level networks into operational networks through trusted communications channels which can be easily exploited by phishing. This poses serious threats to SIS and human-machine interfacing, both of which play large roles in IIoT.

4. Triton

Triton is a malware designed to manipulate safety instrument systems (SIS), and it specifically targets Schneider Electric’s Triconex service. Triconex’s SIS monitors and secures valves, turbines, generators, etc, and shuts them down if it determines they are about to fail and cause explosions that might cause harm to people. It is particularly concerning that an aggressive malware has been created to threaten this software because when industrial safety systems are disrupted, it’s more than just data and networks that are subject to risk — human lives are also at stake.

Triton is being deployed by a highly capable hacking group which is able to gain access to critical safety systems in networks and deploy their payloads without alerting their victim’s networks. Experts believe the activity is consistent with a nation-state (likely Russia) preparing for an attack, as they’ve been targeting a Saudi petrochemical plant for two years now.

5. Devil’s Ivy & the Rube-Goldberg Attack

Unlike some of the other attacks on this list, a Rube Goldberg Attack (RGA) isn’t a specific kind of cybertechnology, rather it’s a method of action that hackers will use against companies who have deployed many IIoT devices. RGA is a chained attack designed to exploit industrial IoT device weaknesses so hackers can circumvent network and computer security measures. The sort of bugs deployed in an RG attack are called Devil’s Ivy because they move across a long chain from device to device before routing an undetectable backdoor entrance into an organization’s servers and networks.

Here’s an example of what it might look like: a company has different IoT cameras around its office. An attacker might identify an unpatched network camera in these offices and deploy Devil’s Ivy on it. Exploiting the IoT’s vulnerabilities, the hacker can obtain basic information about the router connected to the camera (which would be directly connected to the company’s network). Using just the router’s IP address and its model number, a hacker can exploit the known pre-existing vulnerabilities of its model and gain control of the router’s commands. Once the router is compromised, an attacker can change network rules at will and exfiltrate valuable data from the company’s network.

This attack is incredibly hard for a security system to defend against since it works across many devices and is almost impossible to track. Though an attack like this would require fairly extensive planning, it takes very little technical work to execute and can even be automated.

In 2017, IoT attacks were up 600%, and McAfee reported that IoT malware attacks rose over 70% in Q4 of 2018. Enterprises can expect IoT security breaches to continue rising as the IIoT expands and the targets increase in value.

In summary, the businesses that will see the most benefit from the IIoT will be those that simultaneously cover their bases from a cybersecurity standpoint. The risks associated with having your network and your physical infrastructure hacked are potentially ruinous. In order to execute secure IIoT implementations, industrial enterprises will have to assemble the right team of people, plan carefully, and design their deployments for maximum cybersecurity.

With three decades of experience designing networks as secure as they are powerful, Turn-key Technologies (TTI) has the resources and expertise necessary to ensure that industrial enterprises get all the benefits of the IIoT — without the potential pitfalls. For any organization seeking to deploy IIoT networks — or secure the ones they’ve already implemented — a network assessment from TTI is a great place to start.


By Craig Badrick


Sign up for the TTI Newsletter