Recently, the Department of Homeland Security (DHS) and the FBI released a joint report confirming that hackers targeted Wolf Creek Nuclear power plant, along with other energy and manufacturing facilities. The report came with an amber warning, the government’s second highest rating of threat urgency.
The story received wide media coverage, and a quick review of headlines like – “Hackers Have Been Targeting US Nukes” – reveals the overly-alarmist tones so common to cybersecurity. FUD – Fear, Uncertainty and Doubt – is far too common when it comes to cybersecurity news and cybersecurity vendor marketing material.
It is important to communicate some key facts that put the risks of these attacks in perspective. Most importantly, these attacks targeted corporate networks, and not the separate and much more sensitive plant operations or industrial control networks.
The joint DHS and FBI report stated plainly that there is “no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.” However, for the average reader, these stories may indeed bring a feeling of vulnerability and fears of impending danger – especially with the implication that “Russian government hackers” are responsible for the attacks throwing topical gasoline onto the fire.
The public deserves a more comprehensive understanding of the risks to industrial control systems (ICS) used for critical infrastructure like power plants, and especially nuclear facilities, across the United States. In that interest, here are some facts that should help to shed more light on the reality of this situation.
Let’s begin with the scary part. Industrial control systems include computers that are attached to physical components within industrial operations. They may be responsible for tasks such as opening and closing key valves, flipping switches at critical moments - anything that connects to the internet can (potentially) be hacked.
Most systems, including ICS, do have some level of connectivity. Furthermore, ICS often utilize older technology and are much more difficult to update and protect than the average laptop or computer. The potential vulnerability is frightening because ICS oversee so much of the infrastructure we rely upon in our daily lives, such as power plants, but also elevators, traffic lights, railroads and much more.
Look anywhere in the modern world and you’ll see systems controlled by ICS that you would never want hackers to be able to interfere with. Of course wherever the word “nuclear” is involved, the stakes become much greater.
Now for the good news. ICS are in no way helpless against attacks – in fact, ICS are often attached to physical systems with the most robust human oversight. When imagining a scenario where a nuclear power plant is hacked in an effort to cause destruction, you must also imagine the number of personnel and procedures in place to oversee operations and ensure safety. These same precautions are present within any system involving critical infrastructure: railroads, traffic lights, etc. As scary as the prospect of these systems being hacked can be, this is not a new threat.
The organization responsible are aware and actively working to manage these risks and protect the public. The truth is that there are already excellent processes and diligent professionals that have kept us safe, and will continue working to keep us safe. Considering these effective safeguards and robust abilities to mitigate risk, it makes sense to take a measured overlook when assessing hacking threats.
Another key factor to consider in risk assessment is the apparent goal that the hackers involved are trying to accomplish. Comparisons abound between these recent hacking efforts and the famous 2010 Stuxnet attack targeting Iranian nuclear facilities. Both involve attacks on sensitive nuclear facilities, however that’s about where the similarities end.
Stuxnet was by no means a standard hacking attack – it was perhaps the most sophisticated piece of malicious software ever written. The fact that it successfully reached the ICS it targeted, forced those systems to behave abnormally, and caused issues with the centrifuges on-site was as much due to physical activity on the ground and alleged nation-state level espionage techniques as it was to software. Stuxnet appeared to have involved a highly coordinated multi-vector attack, with a very specific outcome in mind.
In contrast, the attacks on Wolf Creek appear to be a more simple probing activity, with the modest goal of gathering information. While the Wolf Creek attacks could be a precursor to further incidents, there is no evidence to indicate a threat anywhere near the magnitude of Stuxnet. What the Stuxnet example does illustrate is that, while it’s very difficult for hackers to gain command and control over sensitive infrastructure, full command and control isn’t required to create significant mayhem.
As we look to bring context to cyber-attacks, the threat of severe weather makes for a useful metaphor. Cyber-attacks will happen, the same way tornadoes, earthquakes, and snowstorms happen. Our structure can be (and to a degree is already) designed to anticipate these events, detect when they’re happening, and respond effectively. To-date, our track record is strong, and just as weather detection and response improves with technology, critical infrastructure companies are making new investments in safety and security processes to improve protections against hacking.
At the same time, assessments and policy work at the government level are helping to implement and enforce best practices and standards in the name of protecting critical infrastructure, presenting the industry with the opportunity to show leadership in demonstrating how hacking risks should be prepared for and responded to.
The attacks on Wolf Creek represent a positive example of response to a cyber-attack. Security teams detected malicious activity and initiated the appropriate response. The company then engaged the right agencies and notified the public. That’s an example to be followed. Rather than play upon the public’s fears and victim shame those that experience attacks, all involved ought to celebrate what was done right, and take lessons from the incident that will bolster defenses for next time.
Bottom line: cyber-attacks on sensitive infrastructure are frightening, but fear cannot and should not shape our response. Strong protections are in place, and our common responsibility is to help make them even stronger.