For The Second Time Ever, A Cyberattack Causes Physical Damage

It’s the dawn of a new kind of war

ThyssenKrupp steel plant, worker in the blast furnace

ThyssenKrupp Steel Plant, worker in the blast furnace

Juni 1988 Duisburg: Thyssen-Stahlwerk, Arbeiter in der Hochofenanlage.German Federal Archives, via Wikimedia Commons CC BY-SA 3.0 DE

The terrifying specter of a future of cyberattacks is that someday, a malicious actor will reach through the internet and cause real, tangible, physical harm. It sounds like a Hollywood plot: a computer is compromised, and suddenly the machinery of a factory is broken. Yet despite the panic, until recently there's only been one such confirmed case. That was Stuxnet, an American-made virus which disrupted an Iranian centrifuge used to enrich uranium in the late 2000s. Then, last month, Germany published a report of another cyberattack turned physical: a furnace at a steel mill that wouldn't shut down.

From Wired:

It’s not clear when the attack in Germany took place. The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack—sending targeted email that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious web site where malware is downloaded to their computer. Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the production network.

The attack caused physical damage, though the report doesn't clarify if the damage was intentional or a by-product of the malicious access of the steel mill's computers. And the physical damage is significant. Most of what is labeled cyberwar, like the Sony hack is information theft or involves damage to files, which is certainly harmful but falls under norms governing espionage, theft, and intelligence collection. Damage like this is sabotage, and is more clearly a kind of harm that justifies a use of force.

In the future, if there are attacks through the internet that reach anything like the level of war, it will be viruses like Stuxnet or hacks like the German steel mill that count as cyber war.