Nuclear power plants are key targets for hackers
In September 2019, a group of elite hackers began sniffing around the computer network of the Kudankulam power plant, the largest nuclear power station in India.
They had spent weeks doing research on how the plant’s computers worked and managed to steal login information for one of its servers.
They carefully entered the username, “/user:KKNPP\administrator” and the password, “su.controller5kk” into a specially built piece of software which they sent inside the plant’s computer network.
Armed with this information, there’s a chance the hackers could have gained access to critical safety systems and caused a Chernobyl-style meltdown.
Luckily for the plant’s hundreds of employees, they weren’t planning to cause any damage. Instead, they wanted to find out more about how the plant and its computer network works.
The identity of the hackers was never disclosed, although researchers have pointed out similarities to hacking techniques used by North Korea. But in the shadowy world of cybersecurity, there’s a strong possibility that the Indian hack was the work of another country which took great care to disguise itself as North Korea.
Cyberattacks on nuclear power plants like this are rare and difficult, with only the world’s most skilled hackers able to navigate layers of security to break into networks. When they do break in, hackers typically carry out reconnaissance before quietly slipping out of networks.
But cybersecurity experts warn that the worst case scenario for a cyberattack on a nuclear power plant is incredibly serious.
A paper prepared for the 2012 Nuclear Security Summit in Seoul laid out the risk in clear terms: It warned that cyberattacks on nuclear power plants could “lead to substantial releases of radioactive material with consequent loss of lives, radiation sickness and psycho-trauma, extensive property destruction and economic upheaval.”
The Kudankulam power plant in India was targeted by hackers last year
Credit: AP
Nuclear power plants are among the highest-protected sites in the world when it comes to cybersecurity. But hacks do happen.
The Nuclear Threat Initiative, an American non-profit organisation, has tracked a steady stream of cyber incidents at nuclear power plants since 1990. The incidents are rare. 2011 and 2016 saw yearly highs of three incidents per year, but hacks have the potential to be severe.
A key part of a nuclear power plant’s security is the use of so-called “airgapped” networks. This is the gold standard when it comes to preventing hackers from accessing systems: The vital control systems are completely physically separate from the internet.
In theory, this should completely block hackers from gaining access to critical safety control systems. But inventive hackers have found ways to bridge this gap.
Researchers have shown that it’s possible to steal data from airgapped systems using noises, light and even magnets, but it’s simple techniques which hackers actually use.
Countries that are launching government-backed hacking attacks
The most high-profile hack related to nuclear power is the Stuxnet campaign which used software to wreak havoc in a uranium enrichment facility in Iran.
The hacking campaign, widely believed to be run by the US and Israel but never confirmed by their governments, managed to bridge the facility’s airgap — likely through a device like a USB stick or CD — to put malicious software on vital systems.
The hack caused uranium enrichment centrifuges to spin alternately faster and then slower than programmed, causing severe stress which damaged more than 900 of the devices and severely denting Iran’s nuclear ambitions.
Another typical route into nuclear power plants for hackers is by carrying out a supply chain attack, which targets the companies that provide the hardware and software used to keep plants running. Skilled hackers can plant “backdoors” into the software while it’s being developed and then enter through those portals once it’s been installed in a power plant.
Joseph Carson, the chief security scientist of Thycotic, managed to hack into a non-nuclear power plant with the plant’s permission by conducting thorough research on who supplies vital supervisory control and data acquisition (SCADA) software in order to prepare to hack into the plant.
“It’s hard to come by the equipment,” he says. “SCADA controls aren’t something you just go buy off the shelf. I did some training courses and I found there’s online emulator software that let me play with the interface.”
Eventually, Carson managed to gain in-person access to the plant’s control systems and could have caused serious disruption.
“From a cyberattack you can cause damage to equipment and ultimately have physical damage,” he says. But to craft an attack like this would take months of research in order to assemble information on passwords used by employees and the software that plants run on.
“To do a major attack, you would have to have the main systems fail but also remove the cascading controls,” he says.
If a cyberattack on a nuclear power plant does happen, it’s not yet clear how governments would respond to it. It’s a problem which has occupied the minds of policy and cybersecurity researchers for years.
Dr Lukasz Olejnik, an independent cybersecurity researcher and consultant, says considering whether a cyberattack like this is an act of war is “tricky territory.”
“The answer depends on the intentions and the effects,” he says. It all depends on the scale of the impact of the attack, such as whether it “contributes to tangible harms to objects or persons, leads to prolonged disruption, or even to the spill of radiating material.”
If a cyberattack’s impact is severe, “the victim country may find grounds to see it as an act of war,” says Olejnik, a former scientific advisor on cyberwarfare at the International Committee of the Red Cross. “So far no cyberattack came even remotely close to that.”
High-profile hacks
Thankfully, an entire industry exists for software designed to keep secure locations like nuclear power plants secure.
British cybersecurity business Darktrace, for example, has set up a dedicated industrial division to sell its artificial intelligence-powered software to power plants. Darktrace’s software monitors the networks of power plants, hunting for any signs that hackers are snooping around in preparation for a cyberattack.
And plants can guard against supply chain attacks by paying for research into the software they use. Amir Preminger, the vice president of research at cybersecurity Claroty, is leading an initiative to check software for problems.
“When talking about software, of course there is always the risk of supply chain when somebody attacks and implements some sort of a backdoor which is part of the product and shipped without the vendor even knowing,” he says.
“I think a good tool to find it is to do a deep dive security assessment,” he says, a service which Claroty provides. “In many cases, we actually were able to find vulnerabilities in those products,” he adds.
Hacking groups may be able to breach the defences of nuclear power plants to snoop around and chances are they could cause damage if they want to.
But industry experts say so far that’s as serious as things have gotten. Incidents like the hack of the Kudankulam plant are a typical example of hackers carrying out reconnaissance but stopping short of causing damage.
The Telegraph revealed last year that the UK had also been a target of a nuclear plant cyber attack, although GCHQ refused to reveal details. Insiders expect regular incidents like this to continue into the future.
For now, at least, the governments which give orders to skilled hacking groups have stopped far short of carrying out a serious and targeted cyberattack on nuclear power.
“It’s the motivation which is missing,” Carson says. “Nation states are looking and poking holes, they’re in that intelligence-gathering phase right now. There’s no motive at the moment in order to pull the trigger.”
Свежие комментарии