Tuesday, 17 March 2015

What can we learn from the South Korea cyber nuclear hack?

Last December, South Korea’s state-run nuclear plant operator, Korea Hydro and Nuclear Power (KHNP), reported that it was the victim of a cyber attack.  

On December 15, a Twitter account purportedly representing an anti-nuclear group in Hawaii claimed responsibility for the hack. Leaking information stolen from KHNP nuclear plants over the following days – including the details of KHNP employees, blueprints of at least two nuclear reactors, electricity flow charts and estimates of radiation exposure among local residents[1] – the perpetrators issued an ultimatum.

Threatening further debilitating cyber attacks, the hackers demanded that South Korea close down three of its older nuclear power plants. The group warned South Koreans living near the plants to avoid the areas over the coming months.

South Korean President Park Geun Hye acknowledged that it was a ‘grave situation’, stating that nuclear power plant operations ‘directly impact that safety of the people.’ KHNP heightened security at their plants, and implemented a two-day cyber security drill for staff.

KHNP and government spokespeople reiterated throughout this period that the cyber attacks had only affected ‘non-core’ technologies, that the stolen information was not more detailed than information that was already available online, and that operations at the plants were not in any danger.

Indeed, the deadline set by the hackers passed without incident.

Last Thursday, following President Park’s visit to the Middle East regarding exporting nuclear power plants,[2] the hackers released additional documents via the same Twitter account. A system plan and test data from the Kori nuclear power plant in Busan was posted online and the perpetrator threatened to sell more material, claiming this action would undermine Park’s plan to export nuclear power.

An unidentified KHNP official, speaking to Reuters on Thursday said: ‘We don’t know how they were leaked but one thing for sure is that there has been no attack from anti-nuclear groups since December.’[3]

How worried should we really be about this series of cyber attacks and the threats made to South Korea’s nuclear power industry?

A KHNP representative, speaking shortly after the initial hack, stated: ‘it is 100% impossible that a hacker can stop nuclear power plants by attacking them because the control monitoring system is totally independent and closed.’ The KHNP claims that in April 2013 the internal networks at its nuclear plants were air-gapped, physically isolated from the Internet.

However, in late December it was reported that a worm had been removed from devices connected to some nuclear plant control systems. South Korea’s Energy Minister, Yoon Sang-jick, said that plant workers using unauthorised USB devices probably inadvertently introduced the worm.[4] Although in this instance the malware was low-risk, there are clear comparisons to be made to Stuxnet - a 2010 cyber attack on critical infrastructure that resulted in physical damage to Iran's nuclear centrifuges. The control system at Iran's uranium enrichment plant was air-gapped, and the offending worm introduced via infected USB devices. 
Yoon, reporting to Parliament, maintained that this worm was not linked to the previous cyberattacks, and reiterated that the closed network used for reactor operations meant that control systems were impervious to cyberattacks.[5]

Contra to statements like this, separating a network from the Internet does not mean that it is safe from attack. Although Yoon denied that the malware introduced to the plant via unapproved USB devices was related to the hacking and subsequent leak of plant information, finding a worm on devices connected to nuclear plant control systems highlights the shortcomings of air-gapping. 

Air-gapping may indeed may lead to complacency on cybersecurity if it is thought to offer complete invulnerability.[6] The cyber attacks on the South Korean nuclear power plants thus highlight the need for a multidimensional and dynamic system of cyber defence.

This is easier said than done. Maintaining a strong cyber defence is more expensive and more difficult than orchestrating cyber attakcs – most critical infrastructure operators don’t know what vulnerabilities their networks have, where these lie, nor how to fix them.[7] For offence to succeed, attackers only need to find and exploit one vulnerabiliy. Conversely, successful cyber defence entails identifying and defending all vulnerabilities. Vulnerability to USB devices is just one weakness of air-gapping, and as research continues into the capabilities of cyber attacks, new vulnerabilities have become apparent. [8]

Even though this recent hacking of South Korean nuclear power plants has not resulted in physical damage to the plants, it is a reminder of the cyber threats that critical infrastructures will increasingly face, and the risks associated with relying solely on air-gaps to protect control networks. Contrary to the perception of the KHNP, it is not '100% impossible' for a cyber attack to target air-gapped machines, and the events in South Korea should serve as a strong reminder of the dangers of this logical fallacy.

[1] http://www.theguardian.com/world/2014/dec/22/south-korea-nuclear-power-cyber-attack-hack
[2] http://www.reuters.com/article/2015/03/04/saudi-south-korea-nuclear-idUSL5N0W61GM20150304
[3] http://uk.reuters.com/article/2015/03/12/uk-southkorea-cybersecurity-nuclear-idUKKBN0M815B20150312
[4] http://www.reuters.com/article/2014/12/30/nuclear-southkorea-cybersecurity-idUSL3N0UE1A320141230
[5] http://uk.reuters.com/article/2014/12/30/nuclear-southkorea-cybersecurity-idUKL3N0UE1A320141230
[6] http://www.itbusinessedge.com/slideshows/five-hard-truths-about-critical-infrastructure-protection.html
[7] http://www.itbusinessedge.com/slideshows/five-hard-truths-about-critical-infrastructure-protection.html
[8] http://www.itworld.com/article/2859246/how-to-bridge-and-secure-air-gap-networks.html

No comments:

Post a Comment