Cyberattacks on Nuclear Power Plants Highlight Vulnerabilities, Risk
Recent intrusions raise critical questions, illustrate need for enhanced solutions
Recent news reports indicate that U.S. nuclear power plants have been subject to cyber intrusion, allegedly by Russian hackers. The breaches were reported to originate through spear-phishing, a hacking method that uses legitimate-looking emails to seek unauthorized access to sensitive information. In this case, fake resumes were sent to plant engineers, who then opened attached resumes and unwittingly delivered malware to their devices.
Such intrusions can be devastating to a utility, especially if individual computers across a business network are connected to the overarching industrial control systems (ICS) network. Because the ICS encompasses several different control systems—including supervisory control and data acquisition (SCADA) systems and other smaller control system configurations—intrusions can be calamitous as hackers can gain access to a system’s lifeline.
The nuclear plant hack did not gain such access. But it raises a critical question: Can hackers pivot and migrate malicious code and controls from the business network to the ICS network, thereby wreaking havoc? In our experience, even segmented networks with seemingly protective measures could have unknown vulnerabilities.
Today’s Security at Risk
One vulnerability is tied to the common use of virtual private networks (VPN), which allow employees to work remotely. Improperly configured VPNs often lack proper network segmentation, protective measures and security controls. When a business network is compromised, hackers can “jump the fence” into the ICS network as part of an activity called “pivoting.”
Pivoting typically does not happen immediately. It is an insidious, carefully orchestrated process. Hackers often maintain a network presence for weeks and months carrying out research, monitoring and reconnaissance activities – designing the right opportunity for an attack.
Many believe that “air-gapped” networks—networks that rely on autonomy from the business network, without WiFi or other connections to the internet—is inherently secure. But while this autonomy is an important security layer, it does not always fully protect the network.
Much of the equipment in nuclear and other power plants is highly durable and redundant, with long life expectancies. Most components were designed before cyber security was a major consideration.
Therefore, these devices must be properly updated with software and firmware much like our computers at home and work. In order to complete the updates, USB or other devices are connected to the air-gapped devices, which essentially breaks the “gap.” Controls must in place to protect the network from malware or viruses that may be harbored on devices breaking the gap.
Black & Veatch has a long history of utility support for network, IT and OT security, resilience and risk management. We recognize that critical infrastructure development requires critical infrastructure protection. That’s why we offer our clients a Security Risk Framework. Clients that implement the comprehensive Security Risk Framework reduce their vulnerabilities, maximize budget effectiveness, minimize the consequences of a breach, and enhance response and recovery. The framework provides for continuous improvement, enabling clients to meet and maintain compliance with evolving regulatory requirements (e.g., NERC-CIP, NIST, AWWA and TSA).
Contact us to learn more about what we can do for you.