The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking.
The report adds that search engines can "readily identify critical infrastructure components with" VPNs, some of which are power plants. It also adds that facility operators are "sometimes unaware of" them.
Nuclear plants don't understand their cyber vulnerability, stated the Chatham House report, which found industrial, cultural and technical challenges affecting facilities worldwide. It specifically pointed to a "lack of executive-level awareness".
The study was conducted over an 18-month period and involved 30 interviews with "experts from several different countries, including the US, UK, Canada, France, Germany, Japan, Ukraine and Russia."
Among its more frightening discoveries is that the notion "nuclear facilities are 'air gapped'" is a "myth", as "the commercial benefits of internet connectivity mean[s] that nuclear facilities" are increasingly networked.
Cybersecurity problems facing the industry largely result from legacy issues. As most industrial control systems at nuclear facilities were developed in the 1960s and 1970s ("when computing was in its infancy") cybersecurity was not a consideration in their design.
"One example of the 'insecure by design' nature of industrial control systems is the lack of authentication and verification," found the report. This obedience leaves nuclear facilities' control systems "particularly vulnerable to man-in-the-middle attacks that alter the communication between two devices".
Furthermore, the flexibility of code means that an attacker can change the logic, or the set of programming instructions, for a piece of equipment in order to cause it to behave differently.
The lack of cyber forensics for control systems exacerbates the difficulties nuclear facilities are facing. "It is almost impossible to protect the system once someone gains access to it," stated one source. "That means that right now, we're entirely reliant on the perimeter to stop hackers."
The report (PDF) details seven "known cyber security incidents at nuclear facilities" between 1992 and 2014:
- At Ignalina nuclear power plant (1992) in Lithuania, a technician intentionally introduced a virus into the industrial control system, which he claimed was "to highlight cyber security vulnerabilities".
- The Davis-Besse nuclear power plant (2003) in Ohio was infected by the Slammer worm which disabled a safety monitoring system for almost five hours.
- The Browns Ferry nuclear power plant (2006) in Alabama experienced a malfunction of both the reactor recirculation pumps and the condensate deminerliser controller (a type of PLC).
- The Hatch nuclear power plant (2008) was shutdown as an unintended consequence of a contractor's software update.
- An Unnamed Russian nuclear power plant (circa 2010) was revealed by Eugene Kaspersky to have been "badly infected by Stuxnet".
- South Korea's Korea Hydro and Nuclear Power Co. commercial network (2014) was breached, and information was stolen. The attack was subsequently attributed to North Korea.
- Natanz nuclear facility and Bushehr nuclear power plant (2010)
The most well-known incident dated back to 2010, when a worm was found to be burrowing into industrial Supervisory Control And Data Acquisition (SCADA) systems on a global level.
Dubbed Stuxnet, the worm was programmed to remain dormant unless it detected the particular hardware fingerprint of an industrial software system manufactured by Siemens.
Top researcher Ralph Langner's investigation into Stuxnet lead him to state his "100 per cent certainty" that Stuxnet was designed to interrupt the Iranian uranium enrichment facility at Natanz - where it is believed to have partially destroyed around 1,000 centrifuges.
In 2013, the worm was confirmed to be a state-sponsored product, created by a collaboration between the NSA and Israel. However, the range of threat actors posing a cyber risk to nuclear facilities extended beyond those who were state-sponsored, claimed the report.
The "sophisticated use of Facebook and websites for recruiting purposes" by ISIS meant "with sufficient financial resources, [such groups] could develop the capability to carry out a cyber attack on a nuclear plant or employ a 'hack for hire' company to do this."
Talking to the Financial Times, report author Caroline Baylon acknowledged that "it would be extremely difficult to cause a meltdown at a plant or compromise one but it would be possible for a state actor to do, certainly."
She added: "The point is that risk is probability times consequence. And even though the probability might be low, the consequence of a cyber incident at a nuclear plant is extremely high." ®