Nuclear operators urged to tackle growing threat from cyber attack emails

Nuclear plant operators should prioritize the training of staff against spearfishing emails which present a significant and evolving threat to data security, Scott Zimmerman, cyber security lead at non-profit research group Concurrent Technologies Corporation, told Nuclear Energy Insider.

In October, the United States Computer Emergency Readiness Team (US-CERT) warned of an advanced persistent threat activity targeting energy sectors including nuclear power. The alert followed investigations by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

"Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks," US-CERT said in a statement.

"DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners," it said.

In July, consultancy group PwC reported “suspected state actors” had used fake emails to penetrate the administration systems of multiple U.S. nuclear plants, as part of a cyber intrusion campaign codenamed Nuclear17.

In September, cyber security firm Symantec said it believed a sophisticated cyber espionage group known as Dragonfly was behind a recent wave of cyber attacks on European and U.S. power generation companies. Targets reportedly included personnel working for power generation companies and manufacturers of plant control systems.

According to US-CERT, recent cyber attacks used a variety of methods:

     Recent cyber attack tactics, techniques and procedures (TTPs)

• Open-source reconnaissance

• Spear-phishing emails (from compromised legitimate accounts)

• Watering-hole domains

• Host-based exploitation

• Industrial control system (ICS) infrastructure targeting

• Ongoing credential gathering

Source: US-CERT. For more detail on these tactics, click here.

For nuclear plant operators, spearfishing emails represent the largest threat, Zimmerman told Nuclear Energy Insider.

“Privileged access is alluring bait to attackers targeting critical infrastructure and can help bypass the time-consuming process of gaining external access”, Zimmerman said.

Spearfishing emails can originate from "compromised legitimate accounts or from seriously well-crafted phishing emails from what appear to be legitimate organizations such as shipping and delivery companies,” he said.

Across all industries, some 66% of malware is installed via malicious email attachments, according to Verizon's 2017 Data Breach Investigations Report.

"The initial email is typically followed by tactics aimed at blending in, giving the attacker time to collect the data that they need," Verizon noted.

According to US-CERT, recent cyber attacks used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server. The hackers used a combination of authentication protocol and password cracking techniques, it said.

Nuclear operators should allocate appropriate resources to training staff against the latest cyber attack measures, Zimmerman said.

"I didn’t come up with the phrase, but I am always reminded: ‘people make bad firewalls, but they are trainable’,” he said.

Consistent user awareness training, updated and patched systems and tools, and awareness of the latest phishing trends are the most important anti-phishing measures, Zimmerman said.

For example, training teams can construct phishing emails with safe URLs within emails. If users click on them, they are notified and further training is then required.

Targeted threats

Recent attacks on electricity network assets-- reportedly from Russian and North Korean sources-- show that power generators must be prepared for targeted, as well as blanket, attacks, Jon Franzino, Director of Grid Security at Grid Subject Matter Experts (GridSME), told a solar power conference last month.

"Now we are not just targets of opportunity, we are actually directly targeted. This is backed up with a lot of intelligence and data," he said.

Power blackouts in Ukraine in December 2015 and 2016 have been blamed on cyber attacks on the electricity grid. Hackers disrupted the power system feeding parts of the capital Kiev, reportedly through remote control of SCADA and substation infrastructure.

The increasing cyber security threat to power plant operators comes amid growing connectivity between generation assets, grids and the internet. Digitisation and data analytics are seen as key ways of reducing nuclear operating costs in the face of wholesale market competition.

Jim Beardsley, head of the Cyber Security Branch at the U.S. Nuclear Regulatory Commission (NRC), said the NRC, reactor licensees and vendors are responding to the increasing threat from cyber attacks.

“The NRC’s Cyber Regulation (10 CFR 73.54) is established at a high level and is performance based. The NRC’s power reactor licensees commit to meeting the regulation in their license and that includes protection from any cyber attack on their safety, security or emergency preparedness systems,” he said.

All US nuclear plant licensees have implemented a comprehensive incident response program to respond to cyber attacks and have developed programs to monitor current credible cyber threats or vulnerabilities. NRC staff inspect licensee implementation of cyber security regulations on a routine basis to verify compliance, Beardsley said.

“To date, there have been no cyber-related events that have adversely impacted the safe or secure operation of a nuclear power plant," he noted.

Shifting tactics

In the latest wave of attacks, threat actors used a spearfishing campaign that differed from previously reported techniques. The hackers used a generic contract agreement theme, with the words "agreement" and "confidential" in the subject line, and which contained a generic PDF document which itself did not include any active code, US-CERT said.

The document prompted the user to click on a link should a download not automatically begin, and this directed users to a website "which may prompt them to retrieve a malicious file," it said.

Other spearfishing email techniques using the latest wave of attacks included references to common industrial control equipment and protocols. Emails contained malicious Microsoft Word attachments masquerading as resumes or curriculum vitae for nuclear plant personnel, or invitations and policy documents that enticed users to open the attachment.

   UK average company investment in cyber security in FY 2016/17

                                                          (Click image to enlarge)

Source: UK government survey, conducted by Ipsos Mori (2017).

Global response

A wide range of global organisations have ramped up cyber security research on the nuclear industry in recent years. The U.S. Nuclear Threat Initiative, British think tank Chatham House and the World Economic Forum’s Geostrategy Platform have all confronted the issue and the U.S. Department of Defence has required the nuclear industry to comply with security controls set out in federal information system protocols.

“As a part of the effort to become compliant, organizations are required to create security inventories of equipment and its uses as well as annual audits of personnel access,” Zimmerman noted.

A number of cross-industry projects are also tackling the growing cyber security challenges.

Industry-funded groups such as the Electric Power Research Institute (EPRI) are working on pilot cyber security projects with a number of nuclear plant operators.

Zimmerman said nuclear operators should develop robust security architectures that provide proper "segmentation, authentication and authorization, and defense-in-depth" strategies.

Segmentation involves the separation of critical and non-critical systems, while creating a secure boundary between process control networks and corporate networks. The National Institute of Standards and Technology (NIST) and Sandia National Labs have both published ICS-specific guidance outlining best practice on segmentation.

Once segmented, the appropriate level of cyber security can be implemented on each part, according to technical importance and cost.

Zimmerman warned operators must continue to respond to the evolving threats posed by increasingly-sophisticated cyber attackers.

"Organizations must be persistent in both their defense and prevention," he said.

By Neil Ford