Cybersecurity in Nuclear Facilities

Colleen Dai
May 28, 2018

Submitted as coursework for PH241, Stanford University, Winter 2018

Introduction

Fig. 1: The Siemens Simatic S7-300, one of the systems Stuxnet could exploit. (Source: Wikimedia Commons)

In 2010, computer scientists were cautious of a new worm inching its way across the Internet - a complex piece of code that infected thousands of computers in approximately 115 countries. [1] Unlike other computer worms, it did not rapidly proliferate without limit; instead, it targeted a specific type of software - SCADA control software, which allowed organizations to control industrial processes remotely. Stuxnet also targeted Siemens products, as displayed in Fig 1. In fact, it would become inactive if this type of software was not discovered, and even possessed a self-destruct mechanism. It was clear the worm had a target - and danger loomed as the worm slowly found its way towards its goal. The worm infiltrated the Natanz uranium enrichment facility in Iran, shutting down centrifuges quietly but efficiently, leaving barely any traces of evidence. The centrifuges broke down or spun out of control and exploded, but the Iranian scientists had no idea they were under attack - and the sabotage continued for nearly a year. This worm, later deemed "Stuxnet", would soon be labeled as the first cybersecurity weapon. [1]

Stuxnet was not the only program to target nuclear facilities. Korea Hydro and Nuclear Power in South Korea were also hacked, and malware was discovered in a German nuclear plant's systems. With more black-hat hacker groups rising in prominence such as the Shadow Brokers and Fancy Bear, it is likely that nuclear facilities will continue to be attacked. As a result, there has been increased examination on how to defend U.S. nuclear facilities from malicious vectors.

Increasing Risk of CyberAttacks on Nuclear Facilities

Due to malicious hacks such as Stuxnet, the government and individual citizens have become much more aware of cyberattacks on nuclear facilities. However, they must act faster than cybercriminals and defend against potentially devastating cyberattacks. Yet a few factors have increased the abilities of hackers to attack nuclear infrastructure, including the growth of Internet usage, the increase of specialized search engines, the propagation of automated vulnerability frameworks and malware, and the expanding market for zero-days.

The growth of Internet usage has lead to more individuals delving into the subject of black-hat hacking and utilizing hacking to earn a living. This leads to more malicious vectors and therefore more threats. Furthermore, specialized search engines have increased the visibility of flaws in nuclear facility software; for instance, the search engine Shodan allows individuals to find SCADA systems that are connected to the internet. [2] The search engine ERIPP also permits users to identify critical infrastructure. Once these targets are determined through search engines like Shodan and ERIPP, hackers can utilize brute force attacks to gain administrative access to nuclear facility equipment. The proliferation of malware founded on parts of Stuxnet also lets attackers execute successful hacks. Moreover, the online distribution of free automated exploit toolkits such as Metasploit lowers the barrier for hackers and allows them to garner access to nuclear industrial control systems far more easily than before. [2] There also exists an increased number of corporations selling zero-days, or critical vulnerabilities that were previously unknown, to governments and other customers instead of reporting the exploit so the vulnerability can be patched. For instance, the company ReVuln specializes in selling zero-days for SCADA systems. [2]

However, it is not just cybercriminals whose abilities to attack nuclear facilities that are growing; vulnerabilities are also growing in nuclear facilities themselves. This is in part due to the increasing use of digital systems, the reduction in redundancy, and the use of off-the-shelf software systems. Digital systems are prone to cyberattacks due to an increase of programmable code; furthermore, digital systems must be configured securely in order to prevent exploits. There is also a reduction in backups; when nuclear plants, built in the 1960-1980s, update, fail-safes are often times disregarded. The use of off-the-shelf systems also decreases security; off-the-shelf systems are more easily hacked than customized SCADA systems, which are obscure and therefore difficult to exploit. [2]

Securing Nuclear Facilities

Cybersecurity can historically be portrayed as attack-centric, involving a series of response to attacks. For instance, firewalls were put in place in order to defend attacks across global networks during the spawn of the Internet. Furthermore, anti-virus programs were installed as defense against viruses, trojans, and other malicious attacks. Intrusion-detection systems were later crafted in order to defend against exploits such as worms. Currently, investment into next-gen firewalls and pen-testing services is necessary to protect against vulnerabilities hackers typically exploit. This cycle of novel hack and the resulting quick response can lead to significant consequences whilst defending important infrastructure such as nuclear facilities. [3]

In the early 2010s, insuring security by managing a variety of security products had become so complex that tools called Security Information Event Management systems were introduced. [3] These tools marked a significant change in the mindset concerning security - hacks became something to be "managed", not stopped. But nuclear facilities do not have this luxury. A hack could result in critical machinery damage, disruption of essential services, and possibly even deaths. [3]

Therefore, nuclear security should concentrate on a new approach - vulnerability-centric security that eliminates vulnerabilities, utilizes deterministic systems, and enhances operations. To successfully remove some possible vulnerabilities, nuclear computer system administrators must extract unnecessary functionality by limiting users to applications and functions they require, segment software to bound programs to access only computing resources they need, and integrate security functionality into applications - including scanning tools and logging tools. Furthermore, nuclear facilities should only utilize deterministic systems, which do exactly what they need to do. Early control systems were custom-built from hand-wound wires connected to many electrical components. However, these devices were later replaced by microprocessors, which are much more general-purpose and therefore much more hackable. [3] Nuclear facilities should also enhance operations - many nuclear plants utilize their budgets to purchase attack-detecting security software. Instead, facilities should maintain a significant security team to establish best-practice configurations in critical infrastructure and increase effectiveness, further system reliability, and streamline system management. [3] Other technologies, such as hardware virtualization, application sandboxing, and consistent scanning, are also effective in increasing security, along with "security by design", which involves incorporating cryptography into existing technologies. [2,3]

More long-term recommendations from the Chatham House Report include developing guidelines to measure cyber security risk in the nuclear industry, engaging in dialogue with engineers to increase awareness of cybersecurity risks, and establishing rules such as banning personal devices from control rooms and providing a strong password policy. Furthermore, there should more information sharing amongst the nuclear facilities, including exchange of indicators of compromise, involvement in industry conferences, and establishment of national CERTs (Computer Emergency Response Teams) specialized in industrial control systems. Moreover, international policy measures must also be developed further - including encouraging all countries to implement a regulatory approach to cybersecurity. Collaboration with the security community is also significant - nuclear facilities should concentrate on improving the quality of cybersecurity training and promote partnerships with cybersecurity companies. [2]

Conclusion

With the increasing amount of technological threats developing in this age, nuclear facilities must discover a way to secure critical infrastructure so that hacks such as Stuxnet and the attack on South Korea do not occur again. In order to protect nuclear facilities, a focus on vulnerability-centric defense along with development of guidelines to both measure security risk in the nuclear industry and increase awareness of these threats is recommended.

© Colleen Dai. The author warrants that the work is the author's own and that Stanford University provided no input other than typesetting and referencing guidelines. The author grants permission to copy, distribute and display this work in unaltered form, with attribution to the author, for noncommercial purposes only. All other rights, including commercial rights, are reserved to the author.

References

[1] P. W. Singer, "Stuxnet and Its Hidden Lessons on the Ethics of Cyberweapons," Case W. Res. J. Int'l. Law, 47, 79 (2015).

[2] C. Baylon, R. Brunt, and D. Livingstone, Cyber Security at Civil Nuclear Facilities: Understanding the Risks (Chatham House, 2016).

[3] R. Elmore and B. Fearey, "Examination of the United States Nuclear Industry Approach to Critical Infrastructure Protection: Applicability to improved industry-Wide Network Cyber Security," in Proc. of the 10th Intl Conf. on Cyber Warfare and Security, ICCWS-2015, ed. by J. Zaaiman and L. Leenen (Academic Conferences and Publishing Intl. Ltd, 2015), p. 86