Nuclear power plants around the world remain under a very real risk of a “serious cyber-attack" according to a report by the respected Chatham House think tank. ‘Cyber-security at civil nuclear facilities, understanding the risks' by Caroline Baylon with Roger Brunt and David Livingstone is published September 2015 and available in full, for free of charge here.
Part of the Royal Institute of International Affairs, Chatham House has said the likelihood of a serious cyber-attack upon our civil nuclear infrastructure is growing largely as a result of facilities becoming ever more reliant on digital systems.
The increasing use of commercial ‘off-the-shelf' software and executive-level lack of awareness were also cited as major contributing factors to the increased risk. This has led to a new degree of digitisation where control systems for infrastructure are effectively “insecure by design” as a result of their age.
Myths in conventional belief
Chatham House has said that the conventional belief that all nuclear facilities are ‘air gapped' (ie isolated from the public Internet) is a myth - as demonstrated by the Stuxnet worm. According to a report summary, “The commercial benefits of internet connectivity mean that several nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of.”
Remarks made at the ‘Interational Conference on Computer Security in a Nuclear World' in Vienna this June by International Atomic Energy Agency (IAEA) director general Yukiya Amano state that last year alone, there were cases of random malware-based attacks at nuclear power plants, and of such facilities also being specifically targeted.
The risks today have been attributed to cyber-criminals, state-sponsored hackers and terrorists, who are all increasing their online activity. In the face of this recognisable trend, in his role as manager of digital risk and security at energy operator National Grid, David Willacy has highlighted what he has called, “[The] desperate need for real cultural change in the energy sector in the UK and elsewhere.”
More reasons to worry
Chatham House reminds us that even a small-scale cyber-security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry. The report also calls out IT supply chain vulnerabilities, which mean that equipment used at a nuclear facility risks being compromised ‘at any stage'. A lack of training, combined with communication breakdowns between nuclear plant engineers and security personnel is also exacerbating the problem.
The report clarifies this suggestion and says that, “Nuclear plant personnel, who are operational technology engineers, and cyber-security personnel, who are information technology engineers, frequently have difficulty communicating, which can lead to friction.”
Speaking directly to SCMagazineUK.com today, Chatham House's Caroline Baylon highlighted the report's recommendations in terms of how communication might be improved between nuclear plant personnel and cyber-security personnel.
“For example, encouraging both nuclear and cyber-personnel to work together on developing integrated risk assessments - at present, we can for the most part do either a safety risk assessment or a security risk assessment, but not one that combines the two - would be an important way to both encourage mutual understanding and raise awareness of cyber-security risks within the industry,” said Baylon.
On the question of whether cyber-security staff should spend more time visiting and liaising with nuclear facilities and staff, Baylon asserts that it will be key to encourage face-to-face communication between the two communities as much as possible. “For example, other tactics might involve holding integrated drills on cyber-security at nuclear facilities, which will bring together both cyber and nuclear personnel. There is also a need for more cross-disciplinary university programmes addressing these issues,” she added.
In other commentary on this news, Tony Berning, senior manager at security firm OPSWAT, has said that as attacks become more sophisticated and digital control systems increase in complexity and levels of automation, it is increasingly difficult to prevent threats from impacting the operation of critical infrastructure.
“As portable media is a primary vector for cyber-attack, it is often the only way to transport files to and from secure areas. As key attack vectors for malware, it is extremely important that extra attention is placed on securing the portable media devices that are brought in and out of a secure facility”
Advice going forward
The Chatham House report recommends developing guidelines to measure cyber-security risk in the nuclear industry, including an integrated risk assessment. As well as advocating robust dialogue between engineers and contractors, the report authors also advocate implementing rules to promote good IT hygiene in nuclear facilities (for example to forbid the use of personal devices) and the establishment of industrial CERTs (Computer Emergency Response Team).
In an email to SC, Kirill Slavin, managing director of Kaspersky Lab commented: “While many will dismiss these threats as merely fiction, we're already seeing examples of cybercriminals exploiting new technology. For example, in Moscow, speed cameras and traffic monitoring systems were infected with an unidentified Trojan which stopped authorities catching traffic offenders. A seemingly minor attack which had huge effects on function, and revenue collection. Similarly it was recently claimed that someone was able to hack the in-flight entertainment system on an United Airlines flight and access the flight control systems.
“The research carried out for the study also showed that the UK's nuclear plants and associated infrastructure were not well protected or prepared because the industry had converted to digital systems relatively recently. This highlights the fact that too often security is brought in as an afterthought. Systems can and should be designed to meet not just today's, but tomorrow's security needs and requirements. One of the main problems is that organisations within an industrial and/or critical infrastructure setting generally place a much higher priority on continuity of process than on data protection. So software and systems often go unpatched for extended periods, with their operators relying upon air-gaps, firewalls and sandboxing to protect from malefactors – and neglecting or deprioritising good security hygiene at an endpoint level. This not only makes them attractive targets for cybercriminals, but increases their risk of becoming collateral victims of rogue malware. However, if the organisations responsible implement the appropriate security measures at the beginning, the benefits will by far out way the costs at the end.”