Social engineering seen as rising cyber threat to nuclear industry

The use of social engineering to mount attacks on business data and information networks is emerging as a major risk to cyber security at nuclear power plants, experts told Nuclear Energy Insider.

Nuclear plant operators have agreed to improve cyber security across all facilities by collaborating with national organisations and other industries to share best practices and information on prevented and detected incidents.

At a global nuclear security summit held in Washington in March, operators agreed to “move beyond traditional security solutions and develop more effective technological approaches to cyber security,” according to a group statement, published by U.S. Nuclear Energy Institute (NEI). Operators would work with vendors to “minimize vulnerabilities in the technology supply chain,” the statement said.

U.K. think tank Chatham House said in October that executive management and on-the-ground nuclear personnel may not realize plant vulnerability to cyber threats and are inadequately prepared to deal with cyber attacks.

Conventional industry thinking that all nuclear facilities are ‘air-gapped’ (isolated from the public internet) is misinformed, Chatham House said in a report. The think tank conducted 18 months of research including 30 interviews with nuclear industry staff in U.S., Canada, U.K., France, Germany, Japan, Ukraine and Russia.

In one recent incident, German operator RWE said April 27 that computer viruses had infected PCs and USB files used at its Gundremmingen plant nuclear power plant. RWE said the infection posed no threat to plant operations because its control systems were not linked to the internet and German federal cyber investigators would investigate the incident, according to media reports.

Growing issue

The growth of digital communications to improve collaboration and productivity in the workplace has seen a rising number of unauthorized incursions linked to employees, according to the U.K. Government’s 2015 Information Security Breaches Survey, conducted by PWC.

Some 90% of large businesses, which included respondents from the energy sector, reported at least one attack last year and 75% reported a staff-related incident, up from 58% in 2014, the survey said.

Last year 15% of large U.K. organisations had a security or data breach involving smartphones or tablets, up from 7% in 2014. Some 13% of large organisations identified a data or security breach relating to social network sites, compared with 12% in 2014.

                  Length of time taken to identify data breach

                       (Based on 39 U.K. business sector responses)

Source: U.K. Government’s 2015 Information Security Breaches Survey

Modern attackers are turning to social engineering techniques that target personnel, which is quicker and easier than identifying and hacking software vulnerabilities, according to experts. Infected emails, social media platforms and online chat sites can all be used to track the whereabouts of personnel and elicit login and password information.

A password breach into the business area leaves personnel and customer data vulnerable to mining and infection with malware. This could present some risk to critical control areas as, although recommendations urge nuclear facilities to separate business systems from critical systems, personnel still need to transfer information and access different areas of the plant.

Emily Taylor, Associate Fellow International Security at Chatham House, said social engineering correlates personal digital footprints to other associated data to rapidly pinpoint individuals using just a handful of data points.

“By using Facebook “likes” alone, searches can predict gender, race, sexual orientation, as well as political and religious beliefs. Maybe there is a growing awareness that posting private and personal statements is not a good idea, but not about things like ‘likes’. The metadata around this is tagged with a location by many applications,” Taylor told Nuclear Energy Insider.

As social media is embedded in daily personal and professional life, it is unrealistic to expect people to withdraw from digital networks, she added. Having greater awareness of the digital data that is temporary and that which is lasting, as well as being more on-guard, will better protect individuals.

Responses to the U.K. government’s 2015 data breach survey showed that 72% of all companies in which there was a poor understanding of security policy had an employee-related breach. Although businesses are delivering more staff awareness training, people are as likely as malicious software to be the source of infiltration.

Dan Rueckert, Vice President Business Strategy at U.S. IT support firm Sheffield Scientific, LLC, said cyber security must be incorporated into daily work routines and nuclear operators need to take a more holistic, long-term approach that looks beyond managing a serious event.

“The challenge is balancing the business benefits with the cyber security risk,” Rueckert told Nuclear Energy Insider.

Firms such as Sheffield Scientific are “mandated to take away all the risk…our goal is to take security controls and embed them in the day-to-day management of the plant,” he said.

Central to security are in-depth defence strategies that evaluate the physical and digital protection provided by processes, technology and people. Operators are faced with the challenge of enabling personnel to securely obtain operations data held on a digital system separated from the business network, Rueckert noted.

A risk management assessment can identify and categorize assets deemed important to the safety of the plant. The assessment might show access to door keys need to be restricted or USB ports disabled to protect high risk areas when personnel work between the business and critical systems, Rueckert said.

Border control

U.S. regulations strongly discourage connecting a plant’s critical assets with external digital networks through firewalls. The U.S. industry cooperates on safety and security measures and operators have moved towards integrated Instrumentation and Control (I&C) systems with less trusted networks using only hardware-enforced unidirectional gateways.

Andrew Ginter, Vice President of Industrial Security at Israel’s Waterfall Security Solutions Ltd, told Nuclear Energy Insider that the firm’s Unidirectional Security Gateways are a digital solution that permits only one-way transmission of data, replicating control system servers and emulating devices for safe monitoring by external networks.

Conventional fibre optic chips exchange data carried by light signals sent from either side of an optical connection. In the one-way gateways, the control system’s optical chip contains a laser, but no receiver, and so can only transmit data. The external optical chip contains a fibre-optic receiver, but no laser. Since lasers can send but not receive data, the system physically lets information flow only one way.

Although an appropriate tool for securing a control system network, the Gateways are not suitable for many business networks. Networks of user workstations and laptops send daily queries to external web servers, with replies flowing into the originating network, Ginter said.

The system in which the business network functions cannot be fully secured, resulting in business networks being constantly exposed to threats and remaining at continuous risk of compromise. Modern attackers use social engineering techniques to exploit the weakness by targeting passwords and logins stored on remote devices.

These attacks routinely pivot through intervening computers, networks and systems and any two-way communications medium is a risk, despite deploying the most obscure, multi-layered, two-way firewalls.

“IT gurus tell us the edge of the most common business networks is disappearing because everyone is connecting cell phones and other devices into these networks. The opposite is true in control systems. As a rule of thumb, any physical systems [such as nuclear plants] that deserve a physical security boundary also warrant a cyber security boundary for the corresponding control system,” Ginter said.

Designers creating security for industrial control systems need to consider how a security perimeter can be compromised, including via communications and messages, media containing malware, programmable hardware and personnel infiltration, he said.

A thorough perimeter assessment establishes all threat characteristics and provides a framework for evaluating the effectiveness of a given security system design, Ginter said.

By Karen Thomas