Tuesday, 17 March 2015

What can we learn from the South Korea cyber nuclear hack?

Last December, South Korea’s state-run nuclear plant operator, Korea Hydro and Nuclear Power (KHNP), reported that it was the victim of a cyber attack.  

On December 15, a Twitter account purportedly representing an anti-nuclear group in Hawaii claimed responsibility for the hack. Leaking information stolen from KHNP nuclear plants over the following days – including the details of KHNP employees, blueprints of at least two nuclear reactors, electricity flow charts and estimates of radiation exposure among local residents[1] – the perpetrators issued an ultimatum.

Threatening further debilitating cyber attacks, the hackers demanded that South Korea close down three of its older nuclear power plants. The group warned South Koreans living near the plants to avoid the areas over the coming months.

South Korean President Park Geun Hye acknowledged that it was a ‘grave situation’, stating that nuclear power plant operations ‘directly impact that safety of the people.’ KHNP heightened security at their plants, and implemented a two-day cyber security drill for staff.

KHNP and government spokespeople reiterated throughout this period that the cyber attacks had only affected ‘non-core’ technologies, that the stolen information was not more detailed than information that was already available online, and that operations at the plants were not in any danger.

Indeed, the deadline set by the hackers passed without incident.

Last Thursday, following President Park’s visit to the Middle East regarding exporting nuclear power plants,[2] the hackers released additional documents via the same Twitter account. A system plan and test data from the Kori nuclear power plant in Busan was posted online and the perpetrator threatened to sell more material, claiming this action would undermine Park’s plan to export nuclear power.

An unidentified KHNP official, speaking to Reuters on Thursday said: ‘We don’t know how they were leaked but one thing for sure is that there has been no attack from anti-nuclear groups since December.’[3]

How worried should we really be about this series of cyber attacks and the threats made to South Korea’s nuclear power industry?

A KHNP representative, speaking shortly after the initial hack, stated: ‘it is 100% impossible that a hacker can stop nuclear power plants by attacking them because the control monitoring system is totally independent and closed.’ The KHNP claims that in April 2013 the internal networks at its nuclear plants were air-gapped, physically isolated from the Internet.

However, in late December it was reported that a worm had been removed from devices connected to some nuclear plant control systems. South Korea’s Energy Minister, Yoon Sang-jick, said that plant workers using unauthorised USB devices probably inadvertently introduced the worm.[4] Although in this instance the malware was low-risk, there are clear comparisons to be made to Stuxnet - a 2010 cyber attack on critical infrastructure that resulted in physical damage to Iran's nuclear centrifuges. The control system at Iran's uranium enrichment plant was air-gapped, and the offending worm introduced via infected USB devices. 
Yoon, reporting to Parliament, maintained that this worm was not linked to the previous cyberattacks, and reiterated that the closed network used for reactor operations meant that control systems were impervious to cyberattacks.[5]

Contra to statements like this, separating a network from the Internet does not mean that it is safe from attack. Although Yoon denied that the malware introduced to the plant via unapproved USB devices was related to the hacking and subsequent leak of plant information, finding a worm on devices connected to nuclear plant control systems highlights the shortcomings of air-gapping. 

Air-gapping may indeed may lead to complacency on cybersecurity if it is thought to offer complete invulnerability.[6] The cyber attacks on the South Korean nuclear power plants thus highlight the need for a multidimensional and dynamic system of cyber defence.

This is easier said than done. Maintaining a strong cyber defence is more expensive and more difficult than orchestrating cyber attakcs – most critical infrastructure operators don’t know what vulnerabilities their networks have, where these lie, nor how to fix them.[7] For offence to succeed, attackers only need to find and exploit one vulnerabiliy. Conversely, successful cyber defence entails identifying and defending all vulnerabilities. Vulnerability to USB devices is just one weakness of air-gapping, and as research continues into the capabilities of cyber attacks, new vulnerabilities have become apparent. [8]

Even though this recent hacking of South Korean nuclear power plants has not resulted in physical damage to the plants, it is a reminder of the cyber threats that critical infrastructures will increasingly face, and the risks associated with relying solely on air-gaps to protect control networks. Contrary to the perception of the KHNP, it is not '100% impossible' for a cyber attack to target air-gapped machines, and the events in South Korea should serve as a strong reminder of the dangers of this logical fallacy.

[1] http://www.theguardian.com/world/2014/dec/22/south-korea-nuclear-power-cyber-attack-hack
[2] http://www.reuters.com/article/2015/03/04/saudi-south-korea-nuclear-idUSL5N0W61GM20150304
[3] http://uk.reuters.com/article/2015/03/12/uk-southkorea-cybersecurity-nuclear-idUKKBN0M815B20150312
[4] http://www.reuters.com/article/2014/12/30/nuclear-southkorea-cybersecurity-idUSL3N0UE1A320141230
[5] http://uk.reuters.com/article/2014/12/30/nuclear-southkorea-cybersecurity-idUKL3N0UE1A320141230
[6] http://www.itbusinessedge.com/slideshows/five-hard-truths-about-critical-infrastructure-protection.html
[7] http://www.itbusinessedge.com/slideshows/five-hard-truths-about-critical-infrastructure-protection.html
[8] http://www.itworld.com/article/2859246/how-to-bridge-and-secure-air-gap-networks.html

Thursday, 22 January 2015

Saturday, 10 January 2015

Media Interview: Defending the Power Grid against Cyber Attack

Chatham House Associate Fellow David Livingstone speaks to Bloomberg on defending the U.K. power grid against cyber attacks:

The most successful types of hacks -- which are probably those that infiltrated the U.S. grid -- get into the core of the system while remaining undetected, said David Livingstone, Chatham House international security fellow. 

Criminals are recruited on the dark web and disappear after the hack is complete, he said. They could be anyone from eco-terrorists trying to shut down a nuclear power station to nation-states storing information for future use. 

Full article here:  


Saturday, 27 December 2014

Media Publication: Drone Flights over French Nuclear Plants

Chatham House publishes an article in Newsweek on the security vulnerabilities that the drone flights over French nuclear power plants have exposed.

Full article here:

Tuesday, 23 December 2014

Media Interview: Cyber Attack on South Korean Nuclear Plant

Dr Patricia Lewis, Research Director of the International Security Department at Chatham House, speaks to The Guardian about the recent cyber attack on a South Korean nuclear power plant:

Patricia Lewis, research director in international security at Chatham House, said concern was reasonable, even though people were thinking about security

“The key thing with all of this stuff is never think you’re invulnerable,” she said. “Always be aware of your vulnerability and put things in place so you can be prepared for an attack. Always be aware that something unusual that happens could be the result of a cyber-attack.” 

Full article here:


Friday, 28 November 2014

Conference Presentation: NATO Advanced Research Workshop - Protection of Critical Energy Infrastructure

Chatham House gave a talk on the project findings thus far at the NATO Advanced Research Workshop: The Protection of Critical Energy Infrastructure Against Emerging Security Challenges in Tbilisi, Georgia on 25-28 November 2014. The meeting was organized by the Atlantic Treaty Association and the Atlantic Council of Georgia.

Slides from the presentation here:

Saturday, 8 November 2014

Media Interview: Drone Flights over French Nuclear Plants

Chatham House Associate Fellow David Livingstone speaks to the Financial Times about the recent spate of drone flights over French nuclear power plants: 

“The concern is that someone is considering an attack, looking to penetrate the perimeter using genuine weaponry, or planning a protest,” said David Livingstone, associate fellow for international security at the think-tank Chatham House. “Unless you know where the data are going back to, or who is controlling the drone, you don’t know if it’s just people messing around, an environmental group, terrorists, or even a nation state.”

He said the mystery also raises questions – at a time when Western governments are increasingly using drones to catch criminals at home and attack enemies abroad – about the preparedness of states for the use of the technology against themselves. 

Full article here: