Five years ago Iran’s nuclear complex was breached by a computer virus. Stuxnet, a sophisticated and complex piece of malware that targeted operation of Iran’s uranium enrichment centrifuges, was the first cyber-weapon to be publicly disclosed.
Reports in spring 2015 claimed that a virus similar to Stuxnet was created to attack North Korea’s nuclear programme. This version was designed to activate once it encountered Korean-language settings on machines with the right configuration. It failed because the attackers were unable to get the virus onto machines in Pyongyang’s nuclear complex.
In December 2014 the computer systems of South Korea’s nuclear plant operator, Korea Hydro & Nuclear Power Company (KHNP) were hacked and information was stolen. The attacks, over five days, included 5986 phishing emails containing malicious codes sent to over 3500 employees. KHNP claims that operations were not compromised, as the material taken was in the public domain, and none of the control systems were affected.
Investigations into Internet addresses used in the hacking led South Korea to blame North Korea, although Pyongyang denied any involvement. The Seoul central prosecutors’ office claimed that the codes used for the hacking had the same composition and working methods as the Kimsuky campaign previously used by North Korean hackers.
Cyber attacks increasing
The volume and sophistication of cyber incidents is increasing. A cyber incident is not necessarily an attack from outside: unintentional internal events may occur, when people make mistakes or take shortcuts. Surveys find that around a third of apparent attacks are from outside, and about 80 per cent of the total are unintentional. Nonetheless, attacks and attackers are increasing as more people and organisations acquire the capacity to do harm.
The scope and volume of cyber incidents have raised global concerns over vulnerabilities and the possibility of a cyber attack on its own or in combination a physical attack.
In June 2015 the IAEA called for an international response to tackle the global threat posed cyber attacks against nuclear facilities. Speaking at its first International Conference on Computer Security in a Nuclear World, IAEA director general Yukiya Amano said, "Terrorists and other criminals operate international networks and could strike anywhere, so the response must also be international."
He pointed out: "Last year alone, there were cases of random malware-based attacks at nuclear power plants, and of such facilities being specifically targeted."
Improving cyber security
Awareness of fundamental cyber threats has increased as the potential for attack has evolved, from criminal attacks for economic gain to threats to critical national infrastructure (CNI).
Organisations generally adopt a risk management approach to security. But applying this to cyber security is more difficult, as no good public data set exists to show the prevalence of system compromise, the attackers’ identities and their motivation.
In 2014 the German Federal Office for Information Technology made public a cyber attack on an unnamed German steel mill. A phishing email compromised the organisation’s information networks. The design of the network interconnected the control systems and the enterprise networks, which allowed the attackers to access the plant control system. Control components and production machines suffered outages that prevented the plant from appropriately shutting down a blast furnace, which had a catastrophic effect.
Dr Daniel Prince, associate director at Security Lancaster, a centre for research into security issues at Lancaster University, says vulnerabilities in control system software are being investigated: "It comes down to architecture and design. In collaboration with a range of businesses we undertake a considerable amount of research work looking at the architecture of enterprise and industrial control systems and how you manage the risk across them, how those systems interact with the people using them and where the security vulnerabilities might emerge, such as clicking links or accidentally doing something, leading to security breaches that could then damage a plant or control systems."
Prince says threats evolve quickly, so "you have to be at the cutting edge in terms of threat awareness." The best way to stay ahead is to be aware of the attackers’ motivations and why your organisation may be a potential target. That gives you an indication of their techniques and how they might go after you. International collaboration with intelligence services, governments, telecommunication agencies and police is required.
Prince says: "Stuxnet was an eye opener: that people are going to go after control systems in those specific ways. We need to be constantly vigilant with clear well thought-out processes for when we discover attacks and how we fix those problems." That means taking a threat intelligence point of view, developing an understanding of the types of threat agents and looking at the threat elements they deploy.
“Ultimately you need to think like an attacker so you can defend against that."
Staying ahead of attackers is difficult. Defenders have to wait for attacks, be able to observe them and respond, and provide protection in future. Prince says the best way stay ahead is to engage stakeholders and share information, for example through the Cyber Information Sharing Partnership. "An organisation cannot rely on waiting to see what attacks its own digital estate; if it does it will always be one step behind the attackers. It’s an arms race and we need to work collaboratively to stay ahead of what the bad guys are doing on our networks."