On December 15, a Twitter account purportedly representing an anti-nuclear group in Hawaii claimed responsibility for the hack. Leaking information stolen from KHNP nuclear plants over the following days – including the details of KHNP employees, blueprints of at least two nuclear reactors, electricity flow charts and estimates of radiation exposure among local residents – the perpetrators issued an ultimatum.
Air-gapping may indeed may lead to complacency on cybersecurity if it is thought to offer complete invulnerability. The cyber attacks on the South Korean nuclear power plants thus highlight the need for a multidimensional and dynamic system of cyber defence.
This is easier said than done. Maintaining a strong cyber defence is more expensive and more difficult than orchestrating cyber attakcs – most critical infrastructure operators don’t know what vulnerabilities their networks have, where these lie, nor how to fix them. For offence to succeed, attackers only need to find and exploit one vulnerabiliy. Conversely, successful cyber defence entails identifying and defending all vulnerabilities. Vulnerability to USB devices is just one weakness of air-gapping, and as research continues into the capabilities of cyber attacks, new vulnerabilities have become apparent.