The risk of a serious cyber attack on civil nuclear infrastructure is growing, as facilities become ever more reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, according to a new report by the international affairs think-tank Chatham House.
A trend to digitisation, plus a lack of executive-level awareness of the risks, means that nuclear plant personnel may not realise their cyber vulnerability and are thus not prepared enough to deal with potential attacks, according to the 53-page report. Nuclear plant personnel, who are operational technology engineers, and cyber security personnel, who are information technology engineers, frequently have difficulty communicating, made worse because the cyber people are off-site. The nuclear plant people find the procedures documents produced by cyber security personnel unclear. Besides such cultural differences, there are technical difficulties: many industrial control systems are ‘insecure by design’, since cyber security measures were not designed in; and patching, as done commonly in IT, may not work in nuclear power for fear that a patch might cause a whole system to fail and cause downtime. The report suggests setting rules where there aren’t any; such as banning personal devices from control rooms and requiring nuclear plant personnel to change the default passwords on equipment.
The report authors include Roger Brunt who after retiring from the British Army in 2004 was appointed the UK government’s regulator for security in the civil nuclear industry as the director of the Office for Civil Nuclear Security.
Its findings include:
The conventional belief that all nuclear facilities are ‘air gapped’ (isolated from the public internet) is a myth. The commercial benefits of internet connectivity mean that a number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of.
Search engines can readily identify critical infrastructure components with such connections.
Even where facilities are air gapped, this safeguard can be breached with nothing more than a flash drive.
Supply chain vulnerabilities mean that equipment used at a nuclear facility risks compromise at any stage.
A lack of training, combined with communication breakdowns between engineers and security personnel, means that nuclear plant personnel often lack an understanding of key cyber security procedures.
Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.
The report suggests policy and technical measures to counter the threats that include:
Developing guidelines to measure cyber security risk in the nuclear industry, including an integrated risk assessment that takes both security and safety measures into account.
Engaging in robust dialogue with engineers and contractors to raise awareness of the cyber security risk, including the dangers of setting up unauthorised internet connections.
Implementing rules, where not already in place, to promote good IT hygiene in nuclear facilities (for example to forbid the use of personal devices) and enforcing rules where they do exist.
Improving disclosure by encouraging anonymous information sharing and the establishment of industrial CERTs (Computer Emergency Response Team).
Encouraging universal adoption of regulatory standards.
To download the report visit https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks
– See more at: https://www.chathamhouse.org/.
Comments
Ross Brewer, vice president and managing director for international markets at LogRhythm, said: “While Chatham House’s report has focussed on the vulnerabilities within the UK’s nuclear facilities, the same issues affect all of our critical national infrastructure – from electricity to water. Attacks on SCADA systems have become more prevalent in recent years as hackers realise the ease of exploiting them – in fact, some of the most infamous cyber-attacks in recent memory have affected SCADA systems, such as the Stuxnet and Flame viruses. Clearly, if flaws in nuclear infrastructure are exploited then there will be major repercussions and it is imperative that any gaps are closed as quickly and efficiently as possible.
“It is interesting the report highlights the fact that approaches to cyber-security are far too reactive – something that is true in pretty much every industry. It is still far too common for organisations to focus on protecting the perimeter, using tools like firewalls and antivirus, but this is now proven to be ineffective. If an attacker wants to get in, they will, no matter how many point security solutions you have in place. Instead attention needs to be directed to identifying a breach and rectifying the issue as quickly as possible. The time between detection and response is when systems are at their most vulnerable, and without a strategy in place to effectively and efficiently deal with the problem, the consequences could be far reaching.
“The answer is to take an intelligent approach to security, ensuring that all systems are continuously monitored so any type of compromise can be identified and dealt with as soon as it arises. No longer can it be presumed that with the right tools in place systems are secure, instead the opposite must be thought of as the status-quo – unless you know you’ve been breached, you’re not safe. Continuous monitoring networks, collating the information and adding context will ensure that any unusual activity is flagged and can be investigated. Anyone underestimating the importance of continuous monitoring will ultimately be proved wrong and, particularly in the case of nuclear infrastructure, by the time they learn that lesson, it will be too late.”
Tim Erlin, Director of Security and Product Management at Tripwire, said: “There’s no doubt that nuclear facilities are not only at risk of attack, but already being attacked. Most concerning is the conclusion that while these facilities believe they’re disconnected from the Internet, they are not. If your first defense is a virtual moat, but you’ve been building bridges around the castle, there’s a serious problem to address. Compromise through the supply chain occurs in other industries, and is something we’ve just seen in the recent T-Mobile/Experian breach. Motivated attackers will take advantage of the weakest point.
“In the connected economy, every organisation both has a supply chain and is part of a supply chain. Proactive and reactive strategies for cybersecurity must be balanced to be effective. Swinging the pendulum too far in either direction can be disastrous.”
Kirill Slavin, managing director, Kaspersky Lab, called it a wake-up call, not just for the nuclear industry, but for critical infrastructure as a whole. “Governments and businesses around the world are now grappling with the potential threat to ‘critical infrastructure’ installations and the need to defend systems that, if successfully attacked, impact not just the organisations concerned, but society at large. This is another warning sign of the risks we face as our critical infrastructure becomes increasingly connected and as cybercriminals, including state-sponsored hackers and terrorists, increase their online activity, so the risk of a significant online attack will escalate.
“While many will dismiss these threats as merely fiction, we’re already seeing examples of cybercriminals exploiting new technology. For example, in Moscow, speed cameras and traffic monitoring systems were infected with an unidentified Trojan which stopped authorities catching traffic offenders. A seemingly minor attack which had huge effects on function, and revenue collection. Similarly it was recently claimed that someone was able to hack the in-flight entertainment system on an United Airlines flight and access the flight control systems.
“The research carried out for the study also showed that the UK’s nuclear plants and associated infrastructure were not well protected or prepared because the industry had converted to digital systems relatively recently. This highlights the fact that too often security is brought in as an afterthought. Systems can and should be designed to meet not just today’s, but tomorrow’s security needs and requirements. One of the main problems is that organisations within an industrial and/or critical infrastructure setting generally place a much higher priority on continuity of process than on data protection. So software and systems often go unpatched for extended periods, with their operators relying upon air-gaps, firewalls and sandboxing to protect from malefactors – and neglecting or deprioritising good security hygiene at an endpoint level. This not only makes them attractive targets for cybercriminals, but increases their risk of becoming collateral victims of rogue malware. However, if the organisations responsible implement the appropriate security measures at the beginning, the benefits will by far out way the costs at the end.”
And Tony Berning, senior manager at IT security product firm, OPSWAT, said: “As attacks become more sophisticated, and digital control systems increase in complexity and levels of automation, it is increasingly difficult to prevent threats from impacting the operation of critical infrastructure. As a security measure, most critical infrastructure systems are air-gapped, or isolated from external networks. Because of this, portable media is a primary vector for cyber-attack; it is often the only way to transport files to and from secure areas. As key attack vectors for malware, it is extremely important that extra attention is placed on securing the portable media devices that are brought in and out of a secure facility.
“While imperative to the protection of critical infrastructure, securing portable media devices is not easily done, and there are many requirements that can impact the portable media security policies for operators of critical infrastructure. In many cases, there is no single source for an organisation’s portable media security policy, and individual facilities may require unique security policies.
“Since SCADA systems control key functions in critical infrastructure, such as nuclear plants, successful attacks on SCADA systems could potentially cause disruptions in services that we all depend on every day. For this reason, SCADA attacks are often politically motivated and backed by foreign state actors with motives such as industrial espionage or military sabotage.
“Many SCADA and ICS (Industrial Control Systems) systems were built decades ago when cyber security was not yet an issue. To add cyber security defences to these systems is a major task, coupled with the fact that due to their critical nature, downtime for system upgrades is virtually impossible. Given these challenges, what can be done to improve the security of critical infrastructure? Here are five ways to improve SCADA security:
#1 Air-Gap Systems: Since many SCADA systems do not include cyber security controls, it is important to physically separate these systems from the Internet and corporate network. If the systems are connected to the network, strong firewalls, intrusion detection systems and other security measures must be put in place to protect against unauthorised intrusion.
#2 Avoid Default Configurations: Avoid using default configurations on network and security appliances. Factory passwords must be changed immediately and a system of strong passwords and regular password updating should be enforced.
#3 Apply USB and Portable Device Security: Since air-gapped systems are not connected to the network, often the only way to bring files in and out of the SCADA system is by using portable media such as USB drives or DVDs. As key attack vectors for air-gapped networks, it is very important to deploy a portable media security system that thoroughly scans portable devices for any threats before they are allowed to connect to the secure SCADA network.
#4 Defend Against Advanced Persistent Threats (APT): Attacks are becoming more and more sophisticated, with malware lying in wait undetected for a long period of time. It is important to fight APT’s at different levels; not only trying to prevent APT’s entering the network, but also detecting APT’s that have already gained entry. An effective way to detect APT’s is to use a multi anti-malware scanner that will scan files with multiple anti-virus engines using a combination of signatures and heuristics and will therefore be able to detect more threats. In addition, technologies such as data sanitization can prevent zero-day and targeted attacks that may be missed by anti-malware engines by converting files to different formats and removing any possible embedded threats and scripts. Devices should be continually monitored for any abnormal activity and files on the network should be continually scanned with multiple anti-virus engines; a threat that was previously not detected could be found by an updated signature database.
#5 Perform Penetration Testing: Regular penetration testing and vulnerability assessments, if possible conducted by a third party, are very helpful to get realistic input on the current security level and shed light on which areas still need additional security precautions.
The above measures, along with employee awareness training and continuous evaluation, will significantly boost the security of critical infrastructure systems.”
