An official from the United Nations' (UN) Nuclear agency has admitted a cyber-attack ‘disrupted' a nuclear power plant, speaking to press in Germany.
Yukiya Amano, the Director General of the International Atomic Energy Agency (IAEA), did not tell the audience how, when or where the Nuclear power plant was disrupted beyond that it happened several years ago, and though the plant did not have to shut down it did have to take “some precautionary measures”.
Speaking in Germany, Amano told Reuters that the possibility of cyber-attacks on critical infrastructure, like Nuclear plants is ‘not an imaginary risk'. He added, “This issue of cyber-attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it's the tip of the iceberg.”
Amano added that the IAEA was helping to train countries for these next-generation cyber-security threats.
While perhaps shocking, this is certainly not the first instance of a cyber-attack on a power facility or even a nuclear facility. Last year, one Ukrainian power company succumbed to cyber-attack, believed to be performed by the BlackEnergy APT group, which lead to power outages for hundreds of thousands in the dead of winter. In 2014, a Korean Nuclear power company found that information had been stolen from non-critical systems.
The news is sure to confirm the fears of many within the cyber-security community that the worst case scenario is not the kind of mass data breaches that fill the headlines, but ones that reach out and directly risk human life.
Stephen Gates, chief research intelligence analyst at NSFOCUS said that such an attack is not just a remote fear, but “the probability of a power plant being disrupted by hackers is somewhat high. The information technology in use at these facilities is no more secure than any other network.”
He told SCMagazineUK.com, “If hackers disrupted systems in a power plant, their “attacks” either entered the facility via physical access, or they came in via the internet. If it was the internet, the real question is why do these types of extremely critical infrastructures need access to the internet in the first place?”
While the details are at best vague, Cristina Varriale, research analyst at the Royal United Services Institute's Proliferation and Nuclear Policy Team told SC that the admission “does re-highlight the issue of cyber in nuclear as a security challenge that needs considering, and at this stage raises more questions about the threat and how to address it.”
For example, “Should there be more transparency and cooperation between states on this, or would this likely compromise security? Do states who are considering nuclear power/ in the early stages of building nuclear power plants have the necessary resources to adequately address cyber concerns?
They may not, said Richard Cassidy, UK cyber-security evangelist at Alert Logic. He told SC, SCADA frameworks are often outdated, “with mandates on security best practices falling short of regulation across other industry sectors (such as finance and healthcare for instance). This in turn has led to a fallacy that utilities providers aren't a target for cyber-criminal groups, because they're of no real value.”
This, added Cassidy, is simply not the case: “there is a great deal of monetisation opportunity by attacking and gaining control of key utilities systems; holding the organisation or government to ransom will (more often than not) reap rewards, given the propensity to maintain confidence at a national level amongst citizen and tourists alike.”Better regulation is no doubt required said Tim Erlin, senior director of product management at TripWire: “North America has made significant progress in managing information security within energy and utilities through the NERC CIP standard in recent years. This type of regulation is sorely needed in the rest of the world to raise the bar consistently on securing critical infrastructure.”