Nuclear facilities are wide open to cyber attacks
You would think that, given the potential disastrous consequences of a successful hack, the computer systems and networks of nuclear facilities would be better secured agains cyber intrusions. Unfortunately, you would be wrong.
According to a Chatham House report published today, “the trend to digitization, when combined with a lack of executive-level awareness of the risks involved, means that nuclear plant personnel may not realize the full extent of their cyber vulnerability and are thus inadequately prepared to deal with potential attacks.”
Among the things that the authors of the report found are that contrary to popular belief, most nuclear facilities are not isolated from the public internet – internet connectivity is simply of too great a benefit to remove it completely. Unfortunately, this also means that often some of these components can be identified by attackers who known how to use search engines like Shodan.
But even when the systems are “air-gapped”, this obstacle to access can be easily overcome by attackers with a simple flash drive.
Another big risk is supply chain vulnerabilities – at any point in time between the moment it is manufactured until the moment it is delivered to the facility and installed, equipment used at a nuclear facility can be compromised.
As in many organizations around the world, the IT and non-IT personnel of these facilities have difficulty in finding a common language. This, coupled with a lack of training, means that nuclear plant personnel often lack an understanding of key cyber security procedures.
Nuclear facilities are also often guilty of approaching cyber security reactively. As the authors noted, this could lead to them not knowing of a cyber attack until it is already substantially under way. In short, they are unprepared for a large-scale cyber security emergency.
Add to all this the fact that software patching at these facilities is often eschewed because of the worry that patches could break a system or lead to significant downtime, the lack of clear cyber security incident disclosure procedures and information sharing, and insufficient spending on cyber security, and you have a situation that is not, in any way, good for the defenders.
The report and its summary contain recommandations to address these problems, but it will take “an organizational response by the civil nuclear sector, which includes, by necessity, knowledgeable leadership at the highest levels, and dynamic contributions by management, staff and the wider community of stakeholders, including members of the security and safety communities.”
The report also includes details of several known cyber security incidents at nuclear facilities in the last two decades or so, including that at the Natanz nuclear facility and the Bushehr nuclear power plant (remember Stuxnet?). It was also compiled after interviewing experts from around the world, including the US, UK, France, Japan, Germany, Ukraine and Russia.
“While Chatham House’s report has focussed on the vulnerabilities within the UK’s nuclear facilities, the same issues affect all of our critical national infrastructure – from electricity to water,” Ross Brewer, vice president and managing director for international markets at LogRhythm, commented.
“Attacks on SCADA systems have become more prevalent in recent years as hackers realise the ease of exploiting them – in fact, some of the most infamous cyber-attacks in recent memory have affected SCADA systems, such as the Stuxnet and Flame viruses. Clearly, if flaws in nuclear infrastructure are exploited then there will be major repercussions and it is imperative that any gaps are closed as quickly and efficiently as possible.”
“It is interesting the report highlights the fact that approaches to cyber-security are far too reactive – something that is true in pretty much every industry,” he pointed out, adding that there is a definitive need to take an intelligent approach to security, ensuring that all systems are continuously monitored so any type of compromise can be identified and dealt with as soon as it arises.
“Anyone underestimating the importance of continuous monitoring will ultimately be proved wrong and, particularly in the case of nuclear infrastructure, by the time they learn that lesson, it will be too late,” he concluded.
“Many SCADA and ICS (Industrial Control Systems) systems were built decades ago when cyber security was not yet an issue. To add cyber security defences to these systems is a major task, coupled with the fact that due to their critical nature, downtime for system upgrades is virtually impossible,” says Tony Berning, senior manager at security firm, OPSWAT.
His advice to improve the security of critical infrastructure is to air-gap systems, avoid using default configurations on network and security appliances, apply USB and portable device security, defend against APTs, perform regular penetration testing and vulnerability assessments (if possible conducted by a third party), and institute employee awareness training and perform continuous evaluation.