Reports highlight cybersecurity risks at nuclear facilities around the world

Recent reports from the Nuclear Threat Initiative and Chatham House, both find that nuclear facilities in many countries are “easy targets for cyberattacks.” Among problems cited in the reports are a significant nuclear presence, few government regulations, and inadequate or corrupt oversight of nuclear facilities.

The reports highlight important issues, but are disappointing in that they provide little insight into the raw data used to draw their conclusions. Both reports talk about regulations existing in some jurisdictions and not in others, and also cite cybersecurity elements of regulations in some jurisdictions, but not others, but provide no sources. References to the regulations examined by the authors would help everyone interested in a deeper understanding access those regulations to understand them better.

The reports do highlight an important fact – for all the talk of cybersecurity vulnerabilities, many of the older reactors in the world are still controlled with analog controls, and those controls are immune to digital cybersabotage/compromise attempts. Newer reactors though, use digital controls and so are of greater concern. And even those reactors with analog controls for the reactor core may use digital controls for other aspects of the reactors, such as controls for cooling equipment. It was after all, cooling equipment that was damaged in the Fukishima tsunami, and whose failure ultimately resulted in explosions and the release of large amounts of radioactive materials.

Cyberattack tools, like any other software, continue to evolve and develop more features. As a result, cybersecurity attacks only become more sophisticated over time. What is today’s “advanced attack” is tomorrow’s script-kiddie tool. Nuclear generators should be leading the way for both physical and cybersecurity for industrial control systems. All industrial sites should be looking to the attacks of concern to nuclear generators and the defensive systems being deployed to deflect such attacks. What is of concern today to only nuclear sites will be every ICS site’s problem in only a handful of years.

Physical and cybersecurity at nuclear sites is a difficult problem. At Waterfall Security Solutions, we are proud to be part of the cybersecurity solution at nuclear generators throughout the USA, as well as in Japan, South Korea and Spain. Waterfall’s Unidirectional Security Gateways block 100 percent of network attacks originating on external networks at nuclear generators in these and other jurisdictions.

For more information on best practices for securing critical infrastructure, visit our Resources page.

January news roundup: Ukraine power grid cyberattack illuminates risk to critical infrastructure

It’s no surprise the cyberattack on Ukraine’s power grid dominated industrial control system (ICS) cybersecurity news in January. Following the news of the power outages and subsequent discovery of malware and other signs of a purposeful network intrusion, cybersecurity experts, DHS and others have revealed alarming instances of cyberattacks, increasing vulnerabilities and lack of adequate cyberdefenses at industrial and nuclear sites, dams and other critical infrastructure. Perhaps the Ukraine attack is the wake up call the industry needs to escalate its investment in cybersecurity protections, such as Unidirectional Security Gateways. In the meantime, learn more in our roundup of these stories below.

Confirmation of a Coordinated Attack on the Ukrainian Power Grid (SANS, Jan. 9, 2016)

With all security eyes on the Ukraine’s Prykarpattyaoblenergo utility, SANS ICS concluded hackers likely caused the outage by remotely switching breakers, after installing malware that prevented technicians from detecting the intrusion. The key takeaway is that malware may have enabled the attack, but it was hackers’ remote access to critical operational networks that resulted in the outage. 

U.S. official sees more cyber attacks on industrial control systems (Reuters, Jan. 13, 2016)

While presenting at the S4x16 conference in Miami, Marty Edwards, head of the DHS ICS-CERT, cited increased Internet connectivity and associated vulnerabilities as the main reason behind the rise in cyberattacks on ICS networks. Others aren’t convinced, believing the recent Ukraine power grid attack has prompted authorities to look for signs of intrusion that may not necessarily be intentionally harmful events. From our perspective, any external intrusion – or even attempted intrusion – of ICSs is potentially harmful and should be taken seriously. Further, there is no doubt whatsoever that connecting critical infrastructure directly to the Internet or indirectly to Internet-accessible networks creates significant vulnerabilities.

Nuclear Facilities in 20 Countries May Be Easy Targets for Cyberattacks (New York Times, Jan. 14, 2016)

According to a distressing report by the Nuclear Threat Initiative, 20 nations have no apparent government regulations requiring minimal protection of nuclear power plants or atomic stockpiles against cyberattacks. The U.S. and many other countries have adopted strong security postures including physical security measures, removable device controls, and Unidirectional Security Gateways. This is standard practice in many jurisdictions and is something that should become standard worldwide for nuclear facilities.

Cybersecurity:IT vs. OT, and the Pursuit of Best Practices (Electricity Policy, January 2016)

In this article, industry experts, Paul Feldman, director of Midcontinent ISO, and Dan Hill, board member for the New York ISO, explore the new threats to our power systems. They point out that cybercriminal sophistication has outpaced the resulting regulations and urge the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) to establish industry regulations that reflect the current threat landscape. Hill and Feldman point out that adequate, modern ICS security is very different from doing the minimum to be in compliance and recommend the use of unidirectional security gateways to eliminate the threat of remote-control and other network attacks from business networks and from the Internet.

NSA Hacking Chief: Internet of Things Security Keeps Me Up at Night (MIT Technology Review, Jan. 28, 2016)

Rob Joyce, chief of the NSA’s Tailored Access Operations unit, shook up the SCADA security community when he stated, “SCADA security is something that keeps me up at night.” Referring to the thousands of ICSs, such as power plants and other critical infrastructure, that are connected to the Internet without proper protections in place, Joyce singled out heating and cooling systems as examples that nation-state hackers can use to infiltrate control systems. He knows this to be true since these same systems are used as points of ingress by his own team. As alarming as this seems, it’s the reality we face as more and more industrial control systems are connected to the Internet.

To learn more about the risks facing industrial control security networks, visit our resources page.

DHS report recommends unidirectional communications for ICS protection

Three of the seven strategies in the December 2015 report from the DHS NCCIC/ICS-CERT, “Seven Strategies To Secure Industrial Control Systems,” recommend unidirectional gateways for maximum protection from cyberattacks.  

The report points to an increase in the frequency and complexity of cyber incidents. ICS-CERT received reports of 295 incidents in 2015, although it is believed that many more went unreported or undetected. Increasingly capable cyber adversaries who can, and have, defeated traditional IT-centric security protections perpetrate these attacks.

To mitigate this growing threat, the DHS encourages us to deploy technology to prevent these increasingly sophisticated attacks.

Seven Strategies to Defend ICSs

1. Implement Application Whitelisting (AWL) – When antivirus and malware detection tools fail, AWL can prevent execution of most malware.
2. Ensure proper configuration/patch management – Unpatched systems are low-hanging fruit for attackers. What the report does not point out is that patching is costly, and does little to deter sophisticated attackers, because of the large number of ICS zero-days waiting to be discovered. The report does point out that unpatched laptops connecting to ICS networks are a major infection vector. I agree with this latter point – any laptop or other equipment that is ever connected directly or indirectly to the Internet must be regarded as eventually compromised.
3. Reduce your attack surface – The report points out that real-time connectivity between ICS networks and less-trusted networks is best achieved using hardware-enforced unidirectional communication, such as Unidirectional Security Gateways.
4. Build a defendable network – Network segmentation can limit the damage from an intrusion and reduce cleanup costs by limiting how far the compromise can spread through the ICS network. Again, the report points out that the best design for transferring real-time data is unidirectional gateways.
5. Manage authentication – Adversaries increasingly focus on stolen credentials, especially for highly privileged accounts. Among other things, the report recommends employing separate credentials for corporate networks and industrial control system networks. I disagree. I think the report would have been more effective recommending much stronger perimeter protections to lock remote adversaries out entirely, even those with every password to every ICS computer in the building.
6. Implement secure remote access – The report recommends surveying and systematically removing vendors’ and other back doors that appear in the form of modems, DSL lines and other undisciplined connections to outside networks. The report also recommends unidirectional gateways to enforce “monitoring-only” access, such as Waterfall’s Remote Screen View product provides. The DHS cautions against reliance on “read-only” access enforced by software configurations; no such software provisions can be as safe or reliable as the hardware-enforced monitoring-only access of Unidirectional Security Gateways.
7. Monitor and respond – As always, the DHS recommends practiced intrusion monitoring, incident response, and system recovery capabilities.

 

The DHS cites the much-publicized and analyzed “Black Energy” malware as an example relating to direct or indirect Internet connectivity. Black Energy relies on a connection to a command and control center on the Internet. The malware uses this connection to receive instructions, download additional software – such as the “DiskWiper” cited in the Ukrainian intrusions – and report intelligence gathered about the layout of the ICS for use in future, more specific attacks.

The example could have been applied much more widely in the report. In particular, with Unidirectional Security Gateways as the sole connection between an ICS network and any external network, Black Energy’s connection to a command and control center is impossible. The gateways send information where they are configured to send it, not to random IP addresses on the Internet, or on the corporate network. In addition, the gateways, of course, permit no software downloads, remote control, or other instructions from a command and control center back into the protected network.

The report is short, and is very much worth reading.

To learn more about unidirectional security gateway technology and how it works to protect ICS networks, visit www.waterfall-security.com.

Electric sector security leaders Paul Feldman and Dan Hill recommend unidirectional gateways

Paul Feldman, director of Midcontinent ISO, and Dan Hill, board member for the New York ISO, recently published “Cybersecurity: IT vs. OT, and the Pursuit of Best Practices” in the January 2016 edition of Electricity Policy. The article reviews the state of control system security in the power grid and makes recommendations to improve security. A central recommendation in the article is that “it’s time for transmission and distribution companies to install unidirectional gateways between their SCADA/OT networks and their business networks.” At Waterfall Security, we are steadfast in maintaining that increased use of unidirectional security gateways will measurably improve the security and the reliability of the Bulk Electric System. It is rewarding to see these experts agree.

In their article, Hill and Feldman review ongoing efforts by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) to have industry regulations reflect the current threat landscape.  The authors point out that cybercriminal sophistication has outpaced the resulting regulations, and observe that:

“(A) special methodology to bridge IT and OT/ICS systems is now required in all nuclear plants,” the two authors wrote. “That methodology employs a hardware-based unidirectional gateway … to move data from the OT/ICS network to the IT/business network on a real-time basis.”

The article goes on to explain that using a unidirectional security gateway eliminates the threat of network attacks moving from an IT network into an industrial control system (ICS) network.

“Firewalls are also becoming more sophisticated and more complicated to manage,” the authors write. They continue, pointing out that “It’s an arms race between the firewall providers and attackers. Separate from the arms race, but related to whether the good guys or the bad guys can develop sophisticated software faster, there is also the bug issue. Firewalls are enabled by software, and software often contains bugs.” Firewalls are simply not adequate to deflect modern attacks on industrial control systems.

Hill and Feldman point out that adequate, modern ICS security is very different from doing the minimum to avoid a fine.  Unidirectional security gateways eliminate the threat of remote-control and other network attacks from business networks and from the Internet. Eliminating these threats entirely is far more effective than continuing a cat-and-mouse battle with attackers.