Ultra Electronics 3eTi

When a Nuclear Plant is Hacked, It’s Time for New Best Practices

May 2nd, 2016 / By

As reported April 27, one such incident involved the Gundremmingen plant in Germany that was found to be infected with malware intended to allow remote access. Even though the viruses seem to have posed no threat to operations of the plant 75 miles from Munich, it’s scary stuff when malware finds its way into a nuclear facility, and onto its industrial control system (ICS). It’s scarier still when the infection surfaces in a system that was a) upgraded and air-gapped, and b) responsible for moving nuclear fuel rods.

Did Germany dodge a cyber-bullet that just missed sparking a mushroom cloud? Not this time, despite suggestions of such an outcome in some news reports. When we read about a nuclear power station falling prey to a cyber-attack, we envision a crazed evil-doer bent on violent mayhem of apocalyptic proportions by means of the targeted, sophisticated control-system takedown. Through a more rational and informed filter, we recognize that incidents like this are far more mundane. Industrial control systems, like all computer-run systems, are at risk from the same garden variety malware, in this case W32.Ramnit and Conficker. It’s the cyber equivalent of catching the flu through proximity to someone already infected in the absence of good hygiene.

So, when faced with quasi-lurid headlines, many are left thinking that the German utility incident was an intentional action by a specific bad cyber-actor. This is an alarmist, if to some extent understandable, conclusion when the reality is far less fraught. Many articles used words like “attack” and “hack” interchangeably with “incident,” even though the former terms suggest intent and malice when none can be empirically shown.

The Gundremmingen situation was the result of a lapse in security hygiene, so to speak, not a targeted ICS attack. The malware involved comes from a family at least eight years old and is nothing new to the security community. The more concerning aspect of this story is how the malware found its way onto the control system in the first place. After all, if this vulnerability allowed an untargeted and older piece of malware to get in, the same vulnerability is a viable avenue for a targeted and malicious attack that could cause serious damage. This incident demonstrates an unmitigated risk to the power station that should be investigated and controlled according to a rigorous risk-management process.

The situation in Germany was less a dedicated hack than a display of unsound user/operator behavior in failing to follow good process. It’s the cyber equivalent of a medical practitioner not scrubbing his or her hands between procedures. Falling short in handwashing may not be protocol-compliant but it’s also not a deliberate or malicious attempt to spread infection.

Such operational oversights as using an unscrubbed USB drive, as was probably the case in Gundremmingen, might lead to real danger. Just as insufficiently washed hands might introduce a terrible pathogen to a vulnerable patient, the toughest cybersecurity protocols exist for good reason. It would definitely be safer if every ICS had sufficiently powerful security controls to withstand all background cyber-pests still floating around seeking unpatched hosts to inconvenience. In the meantime, as with most infections, common sense and sound practices are usually pretty effective.

The bigger point here is that a nuclear power plant was breached by malware in a way that seemed to capitalize on carelessness. Fortunately, no systems were harmed. Next time, such an oversight might be far more serious. Hospitals and governments erect barriers against known means for unleashing and spreading toxins, yet in this case a nuclear power plant was wide-open to one of the most common vulnerabilities and industry risks.

Why it wasn’t mitigated is what scares me the most.