Last
December, South Korea’s state-run nuclear plant operator, Korea Hydro and
Nuclear Power (KHNP), reported that it was the victim of a cyber attack.
On December 15, a Twitter account purportedly representing an anti-nuclear group in Hawaii claimed responsibility for the hack. Leaking information stolen from KHNP nuclear plants over the following days – including the details of KHNP employees, blueprints of at least two nuclear reactors, electricity flow charts and estimates of radiation exposure among local residents[1] – the perpetrators issued an ultimatum.
Threatening further
debilitating cyber attacks, the
hackers demanded that South Korea close down three of its older nuclear power plants.
The group warned South Koreans living near the plants to avoid the areas over
the coming months.
South Korean
President Park Geun Hye acknowledged that it was a ‘grave situation’, stating
that nuclear power plant operations ‘directly impact that safety of the
people.’ KHNP heightened security at their plants, and implemented a two-day
cyber security drill for staff.
KHNP and
government spokespeople reiterated throughout this period that the cyber attacks
had only affected ‘non-core’ technologies, that the stolen information was not
more detailed than information that was already available online, and that
operations at the plants were not in any danger.
Indeed, the
deadline set by the hackers passed without incident.
Last
Thursday, following President Park’s visit to the Middle East regarding
exporting nuclear power plants,[2]
the hackers released additional documents via the same Twitter account. A
system plan and test data from the Kori nuclear power plant in Busan was posted online and
the perpetrator threatened to sell more material, claiming this action would undermine
Park’s plan to export nuclear power.
An
unidentified KHNP official, speaking to Reuters on Thursday said: ‘We don’t
know how they were leaked but one thing for sure is that there has been no
attack from anti-nuclear groups since December.’[3]
How worried
should we really be about this series of cyber attacks and the threats made to
South Korea’s nuclear power industry?
A KHNP
representative, speaking shortly after the initial hack, stated: ‘it is 100%
impossible that a hacker can stop nuclear power plants by attacking them
because the control monitoring system is totally independent and closed.’ The
KHNP claims that in April 2013 the internal networks at its nuclear plants were
air-gapped, physically isolated from the Internet.
However, in
late December it was reported that a worm had been removed from devices
connected to some nuclear plant control systems. South Korea’s Energy Minister,
Yoon Sang-jick, said that plant workers using unauthorised USB devices probably
inadvertently introduced the worm.[4]
Although in this instance the malware was low-risk, there are clear comparisons
to be made to Stuxnet - a 2010 cyber attack on critical infrastructure that resulted in physical damage to Iran's nuclear centrifuges. The control system at Iran's uranium enrichment plant was air-gapped, and the offending worm introduced via infected USB devices.
Yoon,
reporting to Parliament, maintained that this worm was not linked to the previous
cyberattacks, and reiterated that the closed network used for reactor
operations meant that control systems were impervious to cyberattacks.[5]
Contra to
statements like this, separating a network from the Internet does not mean that
it is safe from attack. Although Yoon denied that the malware introduced to the plant via unapproved USB devices was related to the hacking and subsequent leak of plant information, finding a worm on devices connected to nuclear plant control systems highlights the shortcomings of air-gapping.
Air-gapping may indeed may lead to complacency on cybersecurity if it is thought to offer complete invulnerability.[6] The cyber attacks on the South Korean nuclear power plants thus highlight the need for a multidimensional and dynamic system of cyber defence.
Air-gapping may indeed may lead to complacency on cybersecurity if it is thought to offer complete invulnerability.[6] The cyber attacks on the South Korean nuclear power plants thus highlight the need for a multidimensional and dynamic system of cyber defence.
Even though
this recent hacking of South Korean nuclear power plants has not resulted in
physical damage to the plants, it is a reminder of the cyber threats that
critical infrastructures will increasingly face, and the risks associated with
relying solely on air-gaps to protect control networks.
Contrary to the perception of the KHNP, it is not '100% impossible' for a cyber attack to target air-gapped machines, and the events in South Korea should serve as a strong reminder of the dangers of this logical fallacy.
[1]
http://www.theguardian.com/world/2014/dec/22/south-korea-nuclear-power-cyber-attack-hack
[2]
http://www.reuters.com/article/2015/03/04/saudi-south-korea-nuclear-idUSL5N0W61GM20150304
[3]
http://uk.reuters.com/article/2015/03/12/uk-southkorea-cybersecurity-nuclear-idUKKBN0M815B20150312
[4]
http://www.reuters.com/article/2014/12/30/nuclear-southkorea-cybersecurity-idUSL3N0UE1A320141230
[5]
http://uk.reuters.com/article/2014/12/30/nuclear-southkorea-cybersecurity-idUKL3N0UE1A320141230
[6]
http://www.itbusinessedge.com/slideshows/five-hard-truths-about-critical-infrastructure-protection.html