s | Security Much has be en at = prote ar installations from cyber threats, Le py a, the move a in cyber secur under review. However, operators also need to take account of pote Sas well as a di attack as David Flin reports, Ithough the nuclear enerey industry a lash drive. The commercial raining at nuclear facilities is insufficient. has taken steps to improve ovber sof intemet connectivity means that In particular, there is lack of integrated security, the International Atomic some nuclear fecilites have vitual privat cyber security drills between nuclear plant Energy Agency (AEA) reports ihe secto networks and other connections that were personnel and eybor secuity personel currently has among the least experience walled by contractors and other legitimate ‘Many industrial control systems we in this fel, compared to other sectors o nd party operatars, sometimes long ag designed and built before cyber security industry. This is partly @ result of regulatory and potentially undocumented or forgotten. was an issue, and as a result, cyber security requiements, which results in digi ‘Meanwhile, hacking is easier to conduct weasures were not designed in fom the systems being adopted later than in oth and has become more widespread, Automatic beginning, Standard IT solutions, such as types of infrastructure, ad partly due to achages targoted at known and discovered patching, are difficult 1 implement at nuclear the longstanding industry focus on physics! vulnerabilities ara widely available; the sclitiee, mainly due to a concern that protection and salety, so while these advanced techniques used by mal patches could break a ayetom. in addtio: aspects of security ate very robust, there such asthe Staxnet worm are now ki supply ehain vainerabiities mean that as been less attention paid to developing and copied; and search engines can feaily equipment use at a nucle faciity risks cyber security, identify cuitica infrastructure components compromise at any stage Nuclear facitios are increasingly relant that are connected tothe inte These factors suggest thatthe industry's on eigital systems, and make inereasing risk assessment on eyber security may se of commercial “oftthe-shelr” software, Challenges for the industry underestimate the tsk which offers considerable cost savings, but Cyber securty incidents at nuctea facies are neroases vulnerability to backing, This, infrequent, which makes it difeulsto assess Known eyber security incidents at combined with a lack of executive evel the true extent ofthe risk In dalton there nuclear facilities awareness of the risks, could mean that compared with other industries, limited There have been several cyber securty nuclear plant personnel may not be fully collaboration and information sharing, which indents reported at various nuclear fa ware of thex vulnerabilty toa oyber attack, results in the nuclear industry being sow There may be others, bt some operators hero i belief that nuclat faeliti toloam from other indusrios that are max are roluctant to report incidents to avoid a are fully “air-gapped” — completely isolated advanced this field. It is also a conoorn that perceived loss of reputation. This makes it from the publc internet and this protects theres @ shortage of regulatory standards, 28 dificult to assess the extent of the problom, them from eyber atacks, This is not entely Wells ited comenunseation between cyber oul result inthe belief that there are the case. Ae gaps ean be breached in security companies and vendors. few incidents, reinforcing the view that eyber weral ways, which can be as simple as Ithas boen reported that eyber security _—_secunity i nota major isu. It also means September 2016, ‘wvrw.neimagazine.com | NUCLEAR ENGINEERING INTERNATIONAL 15Security | Cyber threats ‘cyber attack cn arc pover pais ret Ineo cenoem ore rucear nds aman a cradbo eatin th mined of to pub at age Just eucnacconare was bw subject of ho US WV otos 24 afew yours ag — and goverment eparrerés. nthe US, bth the Deparment ct emda Sect DHS) andthe Noth american Ebsirc Rolabity Commission NERC) hae conse ret, [DHS produced aroport in Octoba 2016, tod ‘Nuclear Reactors, Materia, and Waste Sector Cyerdependencies whic concudes “Noting suggests that a or attack orocutoo tush trintemet could cause amuse reactor to rmatuncton se beach etanert Tho Depxtment cur tha he indy sisting defence in depth masa wee 80 lective against joer tack. Operators vse seve lent systems to ead operating Fiematon nich would at Pave be ‘comeromised cyber ers wart to miseas opartrs on tho prt stat: doo ehutdown and ‘ontanent systems woul enn that th ely ‘ct fa jer protlam woul be ho plant ging ‘ofr, rather han suf cor mt. The OHS ‘aso feund ict sty procedures, 9 tat or ‘empl, unascoted Goness to ary pat of plant Se i usta for tr, Te DHS rar, howe, cee moe than ser bao, Asis rel makes cla art | operators cant asa hk syst are impermeable, or rat they wiemain eectve over time acanst ast ecing oor aac. NERC corcam over ojbor sunt goos back oer 15 yar, toa exaneve Norhosa goat acho n 2009. At tat bm a8 one aarong a umber ofisues tobe cessed 3s patel Ortea Frasnctue Pretcton sands (adopted n 2008, According to lnyers Hogan Lvs toe stanancsaetned ‘ite Oye ‘Acai an eto th ona o dow, marian and mpkamert eer sour poles tat ‘cover. rong ha things, rang and acces resrctoe for prsenal wih access te COA, procedures formanaging decronc and psa Seeurty permite, star scary, Rodent reparing and reponse planing and ecoery pin torenore COs flaming a Pein “Atv reson che standarss was peepee oy NEACin 2010. The ea verson was approved by the Feel Enercy Regen Commieson FERC) 1.2018 and plore staid ny 2016. Hogan Lovo saciho scope ol te row sans axe Sopiicanty brode tran the prevous vrsen, The nou version gros ass ro pact OLE, ‘gh pact lange generation, ransmision or sdecc satan conve certs, "exkum mpact tizgeer ert goreraion tines, no otage Yanemsen sce, and sar cna certs and ow irene mera ouners ee opertors ‘tsar electric generation and vansision faokee a goveraton conta cata wi 0/80 subject to the GP slacdsor th frst ne ‘Ay ontiy that owns o operat any igh oF medium mpact aces al have to undtake 2 comprebensherevew othe cera tr Bewhing [BES Cyber Syston BESis the buk decry stem. They must dean ber scury poles eavenng ojo secriy anareness. psa and dcconc socurty corel, and cyber sect ident esperse, oy must meemant Programmes for secur ataroness, oer securty ‘rang posonel isk seeosomery, ar acess rmeragorent. ong other queens citer Secu mist be assert change ra. the industry only learns slowiy from incdents thar have occurred and i low to enhance its defences, Since a oyber atack technique attempted against one faiity may well be attempted on others, this lack of disclosure is a ‘cultural issue that has to be overcome. One expert said he believed that there may have been up to $0 actual control systems cyber incidents in the nuclear industry tis not possible to verify this estimate, Dut se suggests there may be many other ‘unreported incidents Some ofthe known incidents incude: ‘= Ignalina, Litiuania 1982 A technician at Zonalina nuclear power plant intentionally introduced a virus into tho industsal contol system, He claimed that this was to highlight the cyber secunty \wulnerabilites of such plants, This ilustates the danger of the insider thea. In this case litte harm was caused but if there nad been malicious intent a serious incident could have been initiated, Air gapping does not protect against threats ofthis nature 1 Davis-Bosso, US, 2003 In January 2003, the Davis Besse muciear power plant was infected by the ‘Slammer tvorm, The worm fst infected a consultant's network, From there it infected the corporate network of First Energy Nuclear, ‘hich operates the plant. This corporate network was connected directly to a SCADA. system at Davis-Besse and the worm spread to this system where It generated ‘large amount of traffic that overwhelmed the system. The safety parameter display system was unavailable fr ve houts. Fortunately, the reactor was not operating atthe time, but the same sconatio could Dave occurred ift nad been online. A patch for the vulnerability had been released six ‘months earlier, which would have prevented the infection, but the patch had not been Installed on any of the systems. This problem arose because the vendor was permitted to access the network without protections or control. This provided a source of vulnerability enabling malware to enter the network. The problom was exacerbated by not keeping up-to-date with protections against specific, known vulnerabilities, Protecting against this threat requires attention being paid to all eloments that connect to the notwork, and ensuring proper contol ofthese systems. ‘Browns Ferry, US, 2008 In August 2006, Browns Ferry experienced a ‘malfunetion of both the reactor recirculation ‘Pumps and tho condonsate deminoralicr. 16 NUCLEAR ENGINEERING INTERNATIONAL | wiv: noimagazine com Both ofthese contain microprocessors that send and receive data over an Ethernet network, but this makes them susceptible to failure if they receive too much trafic, This {is what happenod at Browns Forry, and tho plant's Unit 3 had to be manually shutdown, Althouain this was nota cyber attack. it shows the potential impact one might have. If a hacker were to cause a recirculation pump to fall, in combination with an infection by a ‘worm like ‘Slammer’ (which could disable the sensors warning of a problem) then a serious problem would be initiated = Hatch, US, 2008 In March 2008, Hatch exparienoud a shuvdown. as an unintended consequence ofa contractor ‘update, An engineer from Southern Company, the contractor that manages the plant's tochnology operations, installed an update toa computer on the plant's business network. The computer was connected to one of the plan's industrial control system networks and the ‘update was intended to synchronise the two. ‘The synchronisation briefly eset the contre! sysvem’s data to zero. However, the plant's safety systom interpreted this as indicating thar there was insufficient water to cool the reactor core, and put tho unit into automatic sutdown fr 24 hours, ‘This demonstrates that nuclear overs and operators must be aware ofthe full ramifications of omnecting their business ‘networks to a plant's industrial control systems. In this iastance, the updat’s tunforesoon consequences didnot put the plant in danger, although it did cause a costly shutdown, Tt does, however, demonstrate bow ‘a hacker might attack an industrial control system by making a change to a plants business network. The miltary historian Liddell Hart characterised this type of attack. as th Stratogy of the Indiect Approach ‘= Natanz and Bushehr, Tran, 2010 ‘The Suamet computer worm infected both the Natanz nuclear facility and the Bushebr ‘nuclear power plant in fran, partially sestroying around 1000 centrifuges at ‘Natanz, The worm is believed to have been ‘designed by the US and Israeli governments, ‘and specifically targeted to disrupt Iran's ‘uranium enrichment programme. Neither the US or Israel have openly acknowledged any Involvement in the development ofthe virus orits intended use however. Its considered probable that the worm sproad initially when infected USB Nash drives ‘wore intioduced into these facies, which became infected despite being air gapped. Stuxnet infects computers that run the ‘Microsoft Windows operating system, taking advantage of vulnorabitios in tho ssystom that allow i to obtain system level September 2016access, The worm also makes use of falsified certificates so thatthe files it installs appoar to come from a logitimate company, thus oceiving anti-virus software ‘Stuxnet was aimed at infcung damage fn centrifuges at an enrichment plan, but its capabilities demonstrate the destructive potential of seh technologies, and i ie Delioved that other countries are developing similar offensive cyber capabilites. = Unnamed Russian nuclear powor plant, 2010 Eugene Kaspersky, founder and CEO of Kaspersky Lab, sad in 2013 that Suuxnet ‘infected a Russian nuclear powerplant in 2010, ‘but the plant has not been identified. Kaspersky said tho plant's internal neta, which was air-gapped, had been “badly infected 1 Korea Hydro and Nuclear Power ‘Company, 2014 In December 2014, hackers infiltrated and stole data from the commercial network fof Korea Hydso and Nuclear Power, which ‘oporates 23 of South Korea's nuclear reactors, ‘The hackers gained access through phishing emails sont vo employees, some ‘of whom clicked on the links causing the malware to download. The backers ‘obtained the blueprints and manuals of two reactors, as well as personal data on 10,000 employees, and radiation exposure cectimates for local residents ‘The hackers demanded money or thoy ‘would release the data. South Korea blamed [North Kovea for the attack; Worth Korea denied ‘any involvement and there the matter ended. ‘The incident does demonstrate the tise in extortion as a motivation for hackers. Responses tis evident from these examples that the potential threats come from a variety of sources: insider attack: infection fom, contractor software microprocessor failure; September 2016 ‘government sponsored cyber attack; and an "unknown method of infetion. From these, 424s cloar that the use of ar-gapping ae a protection is only successful ifthe isolation fof the network trom extemal inluences ie ‘maintained, In each of these confirmed cases, infection tok place when the air gap was breached, be it by flash drive, contractor connactons, or internal operator overside ‘The first and most robust protection ‘against cyber attacks isto maintain an air (gap protection at al times. Flash drives and unauthorised aocess can eireuravent an ait ‘gap protection, so its cxtically important to prevent such access points. Basic cyber security protocols, such as preventing the ‘use of unauthorised flash drives, can improve protection, although not guarantee security, ‘The natute of thteats can svntty evolve, and there isa proliferation of modiNcations tothe cyber attack vehicles, While the Aust ino of defence is ensuring that a potential infection does not have access in the fst place, there have to be rebust systems in place to deal with infections that have occurred. Cyber teats ean be cextromoly sophisticated at propagating and concealment once they are ina systom, and ‘hey wal typically deploy techniques to evade {is important for nuclear facilities to hate information on threats. These can bbe reluctance to disclose information of cyber attacks and potential indicators of compromise, partly due toa concern for reputational damage. However, tis fs important for everyone to have a full ‘knowledge of potential threats, ‘The changing nature of threats tis commonplace to assume a cyber attack will necessarity be directed either against the contol systems ofa nuclear facility i the objective is to cause damage or disruption, or against the nancial detalls ofthe network, i the threat is financial in nature. But those are not necessarily the only potential routes. Jan Bonnett, formar rector of Ridgawood Europe, said that it was not just cyber security that was an issue: the organisation had to be ready to deal with hybrid teats as well. hybria ‘threat is one where alow. lovel cyber attack is used to facilitate another form of attack ‘An example ofa hybrid threat might be one in which a cyber attack is used to access employee: Information orto clone an ‘onsite pass for a contractor. This Cyber threats | Security ‘would make It possible for an unauthorised prson to gain access tothe sie, giving ‘them a greater range of options, ane of ‘which might be using a fash drive to install malware that would otherwise not be able to ‘access the network Such hybeid threats, whe dificult toorganise are also dificult to protect ‘against. It is worthy of note that much of ‘the iteratute on hybrié threats focus on ‘mixture of malvare tochniques, such @ ‘combining a Trojan with a worm that is used to drop a virus, The Inerature also looks at siffrent effects malware can have, such as dostioying data, providing access, or leaking information In some cases ‘hybrid’ can be used to refer to a multiplicity of effets. However, according tothe European. Parliamentary Research Service, a hybrid ‘treat should be considered as one resulting from the convergence and interconnection of dliferent elements, which together form a ‘more complex and mulidimensional threat, ‘Based on this. the combination of cyber and physical methods of attacking the security of nuclear facilities needs a ‘vortinated response, However, there ie something of @culsural clash between nuclear plant porsonnel, who are primanly operations technology (OT) engineers, and cyber security personnel ‘who are IT engineers. They can often have conflicting priorities. One engineer who attonded an IAEA meoting said OT and IT engineers ha such diferent perspectives that communication was dflult. He sai "The OT engineers want security added toa system, without invalidating any of the previous tests. However, its often not possible to introduce secunty without ‘volving a change that would require the previous tests tobe invalidated and need to bo carried out agai, He gave the example of adaing security toa valve controller. This might introduce ‘inoompatibilites between the security and the safety system, especially ifthe plant ‘wanted to connect the valve contrlier to the notwork, to gain easier access to plant data, Consequently, one ofthe key elements in ‘eyber security is improving communication between the people in the various siemens ‘of plant operation, who have diferent priorities and attitudes. Because there have been relatively few cyber security incidents, and not all of these have been disclosed, i ie dificult to assess ‘the extent ofthe treat, and it may cause nuclear industry personnel to believe that the ‘treat isnot a high priority. In addition, there {is limited collaboration with other industries (or within the industry, so this is a field in ‘whieh the nuclear industry tends toe slow tolearn, m ‘wwv:netmagazine.com | NUCLEAR ENGINEERING INTERNATIONAL 17