Report exposes vulnerability of nuclear facilities to potential cyber attacks as the energy industry becomes more connected in the Internet of Things.
It was once the claim of those managing industrial control networks that they were immune to cyber attacks because of a so-called “air gap” between such systems and other connected devices such as office management systems, the internet and high vulnerability computers such as those running commercial operating systems.
In reality, this easily-breached air gap was always a myth but now even moreso, the misconception of cyber-separation goes against all the principles of the Industrial Internet of Things, a connected network of devices that is set to become so pervasive that not even the most highly secured establishments will be immune from cyber threats.
Digital system reliance
According to the “Cyber Security at Civil Nuclear Facilities: Understanding the Risks” report from the Chatham House think tank, the UK’s civil nuclear infrastructure is under increasing threat as it becomes more reliant on digital systems and commercially available software.
Written by Caroline Baylon and David Livingstone of Chatham House with the cooperation of the UK government’s regulator for security in the civil nuclear industry, Roger Brunt, the report is the culmination of an in-depth 18-month study which concluded that nuclear plant personnel may not realise the full extent of their cyber vulnerability and are thus inadequately prepared to deal with potential attacks.
Dispelling the air gap myth
According to the Chatham House report, there is no isolation from the public internet for critical infrastructure systems, which can be identified from search tools and are becoming increasingly connected with VPN (Virtual Private Network) connections which have been installed and which facility operators are sometimes unaware of.
Furthermore, there are vulnerabilities within the supply chain of equipment and components that can mask connectivity and represent a vulnerability.
Commenting on the air gap myth, Tim Erlin, Director of Security and Product Management at advanced cyber threat detection company, Tripwire is most concerned that while these facilities believe they’re disconnected from the Internet, they are not.
“If your first defence is a virtual moat but you’ve been building bridges around the castle, there’s a serious problem to address,” he told us.
Using the supply chain to compromise systems is something that has been in the headlines in other industries recently and has been shown to be a technique used by attackers to take advantage of the weakest point.
“In the connected economy, every organisation both has a supply chain and is part of a supply chain,” Tim Erlin continued.
The dawn of cyber-realisation
Users of SCADA systems and Industrial Control Systems still have some catching up to do in terms of establishing mature protection measures against cyber threats. The luxury of isolation has long gone and the vulnerabilities of non-industrial computer networks have now caught up industrial systems.
Researchers at Chatham House noticed this trend and reported that nuclear plant personnel often lack an understanding of key cyber security procedures and that the UK’s nuclear plants and associated infrastructure were not well protected or prepared because the industry had converted to digital systems relatively recently.
Commenting on the need for a shift in thinking in industrial environments, Kasperky Lab’s Managing Director, Kirill Slavin, told us, “This highlights the fact that too often security is brought in as an afterthought. Systems can and should be designed to meet not just today’s, but tomorrow’s security needs and requirements. One of the main problems is that organisations within an industrial and/or critical infrastructure setting generally place a much higher priority on continuity of process than on data protection. So software and systems often go unpatched for extended periods, with their operators relying upon air-gaps, firewalls and sandboxing to protect from malefactors – and neglecting or deprioritising good security hygiene at an endpoint level. This not only makes them attractive targets for cybercriminals, but increases their risk of becoming collateral victims of rogue malware. However, if the organisations responsible implement the appropriate security measures at the beginning, the benefits will by far out way the costs at the end.”
The report on the nuclear industry represents a sub-set of what is widely seen as a problem that could compromise a number of critical infrastructure objects.
According to Ross Brewer, vice president and managing director for international markets at LogRhythm, Whilst the report has focuses on the vulnerabilities within the UK’s nuclear facilities, the same issues affect all of the country’s critical national infrastructure.
“Attacks on SCADA systems have become more prevalent in recent years as hackers realise the ease of exploiting them – in fact, some of the most infamous cyber-attacks in recent memory have affected SCADA systems, such as the Stuxnet and Flame viruses. Clearly, if flaws in nuclear infrastructure are exploited then there will be major repercussions and it is imperative that any gaps are closed as quickly and efficiently as possible,” said Ross.
What are the next steps?
The Chatham House report makes a number of recommendations on securing nuclear facilities against cyber attacks, many of which are associated with procedural measures rather than specific technology approaches. Such measures include:
1 – The development of guidelines for measuring the level of cyber security risk
2 – Raising cyber risk awareness amongst employees and contractors within the industry
3 – Adopting policies and rules of engagement as well as implementing regulatory standards.
However, reaction from the security industry is understandably more technology oriented with software supplier, OPSWAT recommending the avoidance of default configurations, the performance of penetration testing and defending against sophisticated Advanced Persistent threats.
OPSWAT also commented on the frequent use of portable media and its significance in breaching perceived air-gaps. Tony Berning of OPSWAT told us, “Often the best way to bring files in and out of SCADA networks is by using portable media such as USB drives or DVDs. As key attack vectors for what are thought to be air-gapped networks, it is very important to deploy a portable media security system that thoroughly scans portable devices for any threats before they are allowed to connect to the secure SCADA network.”
LogRhythm’s Ross Brewer believes early identification is key to high security, arguing that without continuous monitoring and early identification, it’s easy for an attack to occur without being noticed.
“An intelligent approach to security ensures that all systems are continuously monitored so any type of compromise can be identified and dealt with as soon as it arises. No longer can it be presumed that with the right tools in place systems are secure, instead the opposite must be thought of as the status quo – unless you know you’ve been breached, you’re not safe,” he told us.
“Anyone underestimating the importance of continuous monitoring will ultimately be proved wrong and, particularly in the case of nuclear infrastructure, by the time they learn that lesson, it will be too late,” Ross Brewer concluded.