s | Security
Much has be en at = prote ar installations from cyber threats,
Le py a, the move a in cyber secur under review. However, operators also
need to take account of pote Sas well as a di attack as David Flin reports,
Ithough the nuclear enerey industry a lash drive. The commercial raining at nuclear facilities is insufficient.
has taken steps to improve ovber sof intemet connectivity means that In particular, there is lack of integrated
security, the International Atomic some nuclear fecilites have vitual privat cyber security drills between nuclear plant
Energy Agency (AEA) reports ihe secto networks and other connections that were personnel and eybor secuity personel
currently has among the least experience walled by contractors and other legitimate ‘Many industrial control systems we
in this fel, compared to other sectors o nd party operatars, sometimes long ag designed and built before cyber security
industry. This is partly @ result of regulatory and potentially undocumented or forgotten. was an issue, and as a result, cyber security
requiements, which results in digi ‘Meanwhile, hacking is easier to conduct weasures were not designed in fom the
systems being adopted later than in oth and has become more widespread, Automatic beginning, Standard IT solutions, such as
types of infrastructure, ad partly due to achages targoted at known and discovered patching, are difficult 1 implement at nuclear
the longstanding industry focus on physics! vulnerabilities ara widely available; the sclitiee, mainly due to a concern that
protection and salety, so while these advanced techniques used by mal patches could break a ayetom. in addtio:
aspects of security ate very robust, there such asthe Staxnet worm are now ki supply ehain vainerabiities mean that
as been less attention paid to developing and copied; and search engines can feaily equipment use at a nucle faciity risks
cyber security, identify cuitica infrastructure components compromise at any stage
Nuclear facitios are increasingly relant that are connected tothe inte These factors suggest thatthe industry's
on eigital systems, and make inereasing risk assessment on eyber security may
se of commercial “oftthe-shelr” software, Challenges for the industry underestimate the tsk
which offers considerable cost savings, but Cyber securty incidents at nuctea facies are
neroases vulnerability to backing, This, infrequent, which makes it difeulsto assess Known eyber security incidents at
combined with a lack of executive evel the true extent ofthe risk In dalton there nuclear facilities
awareness of the risks, could mean that compared with other industries, limited There have been several cyber securty
nuclear plant personnel may not be fully collaboration and information sharing, which indents reported at various nuclear fa
ware of thex vulnerabilty toa oyber attack, results in the nuclear industry being sow There may be others, bt some operators
hero i belief that nuclat faeliti toloam from other indusrios that are max are roluctant to report incidents to avoid a
are fully “air-gapped” — completely isolated advanced this field. It is also a conoorn that perceived loss of reputation. This makes it
from the publc internet and this protects theres @ shortage of regulatory standards, 28 dificult to assess the extent of the problom,
them from eyber atacks, This is not entely Wells ited comenunseation between cyber oul result inthe belief that there are
the case. Ae gaps ean be breached in security companies and vendors. few incidents, reinforcing the view that eyber
weral ways, which can be as simple as Ithas boen reported that eyber security _—_secunity i nota major isu. It also means
September 2016, ‘wvrw.neimagazine.com | NUCLEAR ENGINEERING INTERNATIONAL 15Security | Cyber threats
‘cyber attack cn arc pover pais ret
Ineo cenoem ore rucear nds aman
a cradbo eatin th mined of to pub at age
Just eucnacconare was bw subject of ho US
WV otos 24 afew yours ag — and goverment
eparrerés. nthe US, bth the Deparment ct
emda Sect DHS) andthe Noth american
Ebsirc Rolabity Commission NERC) hae
conse ret,
[DHS produced aroport in Octoba 2016, tod
‘Nuclear Reactors, Materia, and Waste Sector
Cyerdependencies whic concudes “Noting
suggests that a or attack orocutoo tush
trintemet could cause amuse reactor to
rmatuncton se beach etanert
Tho Depxtment cur tha he indy
sisting defence in depth masa wee 80
lective against joer tack. Operators vse
seve lent systems to ead operating
Fiematon nich would at Pave be
‘comeromised cyber ers wart to miseas
opartrs on tho prt stat: doo ehutdown and
‘ontanent systems woul enn that th ely
‘ct fa jer protlam woul be ho plant ging
‘ofr, rather han suf cor mt. The OHS
‘aso feund ict sty procedures, 9 tat or
‘empl, unascoted Goness to ary pat of plant
Se i usta for tr,
Te DHS rar, howe, cee moe than
ser bao, Asis rel makes cla art
| operators cant asa hk syst are
impermeable, or rat they wiemain eectve over
time acanst ast ecing oor aac.
NERC corcam over ojbor sunt goos
back oer 15 yar, toa exaneve Norhosa
goat acho n 2009. At tat bm a8 one
aarong a umber ofisues tobe cessed 3s
patel Ortea Frasnctue Pretcton sands
(adopted n 2008, According to lnyers Hogan
Lvs toe stanancsaetned ‘ite Oye
‘Acai an eto th ona o dow,
marian and mpkamert eer sour poles tat
‘cover. rong ha things, rang and acces
resrctoe for prsenal wih access te COA,
procedures formanaging decronc and psa
Seeurty permite, star scary, Rodent
reparing and reponse planing and ecoery
pin torenore COs flaming a Pein
“Atv reson che standarss was peepee oy
NEACin 2010. The ea verson was approved by
the Feel Enercy Regen Commieson FERC)
1.2018 and plore staid ny 2016.
Hogan Lovo saciho scope ol te row sans
axe Sopiicanty brode tran the prevous vrsen,
The nou version gros ass ro pact OLE,
‘gh pact lange generation, ransmision or
sdecc satan conve certs, "exkum mpact
tizgeer ert goreraion tines, no otage
Yanemsen sce, and sar cna certs
and ow irene mera ouners ee opertors
‘tsar electric generation and vansision
faokee a goveraton conta cata wi 0/80
subject to the GP slacdsor th frst ne
‘Ay ontiy that owns o operat any igh oF
medium mpact aces al have to undtake 2
comprebensherevew othe cera tr Bewhing
[BES Cyber Syston BESis the buk decry
stem. They must dean ber scury poles
eavenng ojo secriy anareness. psa
and dcconc socurty corel, and cyber
sect ident esperse, oy must meemant
Programmes for secur ataroness, oer securty
‘rang posonel isk seeosomery, ar acess
rmeragorent. ong other queens citer
Secu mist be assert change ra.
the industry only learns slowiy from incdents
thar have occurred and i low to enhance
its defences, Since a oyber atack technique
attempted against one faiity may well be
attempted on others, this lack of disclosure is a
‘cultural issue that has to be overcome.
One expert said he believed that there may
have been up to $0 actual control systems
cyber incidents in the nuclear industry
tis not possible to verify this estimate,
Dut se suggests there may be many other
‘unreported incidents
Some ofthe known incidents incude:
‘= Ignalina, Litiuania 1982
A technician at Zonalina nuclear power
plant intentionally introduced a virus into
tho industsal contol system, He claimed
that this was to highlight the cyber secunty
\wulnerabilites of such plants,
This ilustates the danger of the insider
thea. In this case litte harm was caused
but if there nad been malicious intent a
serious incident could have been initiated,
Air gapping does not protect against threats
ofthis nature
1 Davis-Bosso, US, 2003
In January 2003, the Davis Besse muciear
power plant was infected by the ‘Slammer
tvorm, The worm fst infected a consultant's
network, From there it infected the
corporate network of First Energy Nuclear,
‘hich operates the plant. This corporate
network was connected directly to a SCADA.
system at Davis-Besse and the worm
spread to this system where It generated
‘large amount of traffic that overwhelmed
the system. The safety parameter display
system was unavailable fr ve houts.
Fortunately, the reactor was not operating
atthe time, but the same sconatio could
Dave occurred ift nad been online. A patch
for the vulnerability had been released six
‘months earlier, which would have prevented
the infection, but the patch had not been
Installed on any of the systems.
This problem arose because the vendor
was permitted to access the network without
protections or control. This provided a source
of vulnerability enabling malware to enter
the network. The problom was exacerbated
by not keeping up-to-date with protections
against specific, known vulnerabilities,
Protecting against this threat requires
attention being paid to all eloments that
connect to the notwork, and ensuring proper
contol ofthese systems.
‘Browns Ferry, US, 2008
In August 2006, Browns Ferry experienced a
‘malfunetion of both the reactor recirculation
‘Pumps and tho condonsate deminoralicr.
16 NUCLEAR ENGINEERING INTERNATIONAL | wiv: noimagazine com
Both ofthese contain microprocessors that
send and receive data over an Ethernet
network, but this makes them susceptible to
failure if they receive too much trafic, This
{is what happenod at Browns Forry, and tho
plant's Unit 3 had to be manually shutdown,
Althouain this was nota cyber attack. it
shows the potential impact one might have. If
a hacker were to cause a recirculation pump
to fall, in combination with an infection by a
‘worm like ‘Slammer’ (which could disable the
sensors warning of a problem) then a serious
problem would be initiated
= Hatch, US, 2008
In March 2008, Hatch exparienoud a shuvdown.
as an unintended consequence ofa contractor
‘update, An engineer from Southern Company,
the contractor that manages the plant's
tochnology operations, installed an update toa
computer on the plant's business network. The
computer was connected to one of the plan's
industrial control system networks and the
‘update was intended to synchronise the two.
‘The synchronisation briefly eset the contre!
sysvem’s data to zero. However, the plant's
safety systom interpreted this as indicating
thar there was insufficient water to cool the
reactor core, and put tho unit into automatic
sutdown fr 24 hours,
‘This demonstrates that nuclear overs
and operators must be aware ofthe full
ramifications of omnecting their business
‘networks to a plant's industrial control
systems. In this iastance, the updat’s
tunforesoon consequences didnot put the
plant in danger, although it did cause a costly
shutdown, Tt does, however, demonstrate bow
‘a hacker might attack an industrial control
system by making a change to a plants
business network. The miltary historian
Liddell Hart characterised this type of attack.
as th Stratogy of the Indiect Approach
‘= Natanz and Bushehr, Tran, 2010
‘The Suamet computer worm infected both
the Natanz nuclear facility and the Bushebr
‘nuclear power plant in fran, partially
sestroying around 1000 centrifuges at
‘Natanz, The worm is believed to have been
‘designed by the US and Israeli governments,
‘and specifically targeted to disrupt Iran's
‘uranium enrichment programme. Neither the
US or Israel have openly acknowledged any
Involvement in the development ofthe virus
orits intended use however.
Its considered probable that the worm
sproad initially when infected USB Nash drives
‘wore intioduced into these facies, which
became infected despite being air gapped.
Stuxnet infects computers that run the
‘Microsoft Windows operating system,
taking advantage of vulnorabitios in tho
ssystom that allow i to obtain system level
September 2016access, The worm also makes use of falsified
certificates so thatthe files it installs appoar
to come from a logitimate company, thus
oceiving anti-virus software
‘Stuxnet was aimed at infcung damage
fn centrifuges at an enrichment plan, but
its capabilities demonstrate the destructive
potential of seh technologies, and i ie
Delioved that other countries are developing
similar offensive cyber capabilites.
= Unnamed Russian nuclear powor
plant, 2010
Eugene Kaspersky, founder and CEO of
Kaspersky Lab, sad in 2013 that Suuxnet
‘infected a Russian nuclear powerplant in 2010,
‘but the plant has not been identified. Kaspersky
said tho plant's internal neta, which was
air-gapped, had been “badly infected
1 Korea Hydro and Nuclear Power
‘Company, 2014
In December 2014, hackers infiltrated and
stole data from the commercial network
fof Korea Hydso and Nuclear Power, which
‘oporates 23 of South Korea's nuclear reactors,
‘The hackers gained access through
phishing emails sont vo employees, some
‘of whom clicked on the links causing
the malware to download. The backers
‘obtained the blueprints and manuals of
two reactors, as well as personal data on
10,000 employees, and radiation exposure
cectimates for local residents
‘The hackers demanded money or thoy
‘would release the data. South Korea blamed
[North Kovea for the attack; Worth Korea denied
‘any involvement and there the matter ended.
‘The incident does demonstrate the tise in
extortion as a motivation for hackers.
Responses
tis evident from these examples that
the potential threats come from a variety
of sources: insider attack: infection fom,
contractor software
microprocessor
failure;
September 2016
‘government sponsored cyber attack; and an
"unknown method of infetion. From these,
424s cloar that the use of ar-gapping ae a
protection is only successful ifthe isolation
fof the network trom extemal inluences ie
‘maintained, In each of these confirmed cases,
infection tok place when the air gap was
breached, be it by flash drive, contractor
connactons, or internal operator overside
‘The first and most robust protection
‘against cyber attacks isto maintain an air
(gap protection at al times. Flash drives and
unauthorised aocess can eireuravent an ait
‘gap protection, so its cxtically important
to prevent such access points. Basic cyber
security protocols, such as preventing the
‘use of unauthorised flash drives, can improve
protection, although not guarantee security,
‘The natute of thteats can svntty evolve,
and there isa proliferation of modiNcations
tothe cyber attack vehicles, While the
Aust ino of defence is ensuring that a
potential infection does not have access
in the fst place, there have to be rebust
systems in place to deal with infections
that have occurred. Cyber teats ean be
cextromoly sophisticated at propagating and
concealment once they are ina systom, and
‘hey wal typically deploy techniques to evade
{is important for nuclear facilities to
hate information on threats. These can
bbe reluctance to disclose information
of cyber attacks and potential indicators
of compromise, partly due toa concern
for reputational damage. However, tis
fs important for everyone to have a full
‘knowledge of potential threats,
‘The changing nature of threats
tis commonplace to assume a cyber attack
will necessarity be directed either against
the contol systems ofa nuclear facility i the
objective is to cause damage or disruption, or
against the nancial detalls ofthe network, i
the threat is financial in nature.
But those are not necessarily the only
potential routes. Jan Bonnett, formar
rector of Ridgawood Europe,
said that it was not just cyber
security that was an issue:
the organisation had to be
ready to deal with hybrid
teats as well. hybria
‘threat is one where alow.
lovel cyber attack is used
to facilitate another form
of attack
‘An example ofa hybrid
threat might be one in
which a cyber attack is
used to access employee:
Information orto clone an
‘onsite pass for a contractor. This
Cyber threats | Security
‘would make It possible for an unauthorised
prson to gain access tothe sie, giving
‘them a greater range of options, ane of
‘which might be using a fash drive to install
malware that would otherwise not be able to
‘access the network
Such hybeid threats, whe dificult
toorganise are also dificult to protect
‘against. It is worthy of note that much of
‘the iteratute on hybrié threats focus on
‘mixture of malvare tochniques, such @
‘combining a Trojan with a worm that is used
to drop a virus, The Inerature also looks at
siffrent effects malware can have, such as
dostioying data, providing access, or leaking
information In some cases ‘hybrid’ can be
used to refer to a multiplicity of effets.
However, according tothe European.
Parliamentary Research Service, a hybrid
‘treat should be considered as one resulting
from the convergence and interconnection
of dliferent elements, which together form a
‘more complex and mulidimensional threat,
‘Based on this. the combination of
cyber and physical methods of attacking
the security of nuclear facilities needs a
‘vortinated response,
However, there ie something of @culsural
clash between nuclear plant porsonnel, who
are primanly operations technology (OT)
engineers, and cyber security personnel
‘who are IT engineers. They can often have
conflicting priorities. One engineer who
attonded an IAEA meoting said OT and IT
engineers ha such diferent perspectives
that communication was dflult. He sai
"The OT engineers want security added
toa system, without invalidating any of
the previous tests. However, its often
not possible to introduce secunty without
‘volving a change that would require the
previous tests tobe invalidated and need to
bo carried out agai,
He gave the example of adaing security
toa valve controller. This might introduce
‘inoompatibilites between the security and
the safety system, especially ifthe plant
‘wanted to connect the valve contrlier to the
notwork, to gain easier access to plant data,
Consequently, one ofthe key elements in
‘eyber security is improving communication
between the people in the various siemens
‘of plant operation, who have diferent
priorities and attitudes.
Because there have been relatively few
cyber security incidents, and not all of these
have been disclosed, i ie dificult to assess
‘the extent ofthe treat, and it may cause
nuclear industry personnel to believe that the
‘treat isnot a high priority. In addition, there
{is limited collaboration with other industries
(or within the industry, so this is a field in
‘whieh the nuclear industry tends toe slow
tolearn, m
‘wwv:netmagazine.com | NUCLEAR ENGINEERING INTERNATIONAL 17