There are three publicly known attacks against nuclear plants:
- Monju NPP (Japan 2014)
- Korea Hydro and Nuclear Power plant (S.Korea 2014)
- Gundremmingen NPP (Germany 2016).
According to the head of the United Nations nuclear watchdog, the International Atomic Energy Agency (IAEA) Director Yukiya Amano, a nuclear power plant in Germany was hit by a “disruptive” cyber attack two to three years ago.Fortunately, the damages caused by the cyber attack on the German nuclear plant did not force the operators to shut down its processes but urged the adoption of additional precautionary measures
.
http://www.telegraph.co.uk/news/2016/04/27/cyber-attackers-hack-german-nuclear-plant/
Hacking and disrupting nuclear plants is a huge issue. I remember there was a virus called “Stuxnet” that disrupted Iranian nuclear ambitions. It turns out that virus was created by America and Israel. One of the fears with using the virus was the possibility of it getting out and being used on other nuclear facilities. This might be the same type of attack.
As you mentioned about the virus I will illustarte regarding the virus spread in nuclear facility in Germany
The viruses were “W32.Ramnit” and “Conficker” which were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods
W32.Ramnit is designed to steal files from infected computers and targets Microsoft Windows software
Conficker is able to spread through networks and by copying itself onto removable data drives
That is not good news. Luckily it was a “disruptive” attack instead of a “destructive” attack. Hacking nuclear plants can endanger a whole country. Hopefully they are taking the steps to secure their infrastructure to protect them from hackers.
Critical infrastructure protection (or lack there of) really requires some drastic improvements across the globe. Many of the power plants across the globe (including US) are run by antiquated SCADA systems that were not built with security in mind. They are non-current, End-of-Life/End-of-Support and cannot be patched for security vulnerabilities.
Additionally, most of the regulations (e;g. NERC-CIP) are self-attestation as opposed to PCI-DSS which requires an independent QSA to perform an annual review. Self-attestations are not sufficient in assessing security. Employees are sometimes reluctant to self-declare security issues because they are afraid they will be blamed or will be required to put in extra work to fix security flaws. I would recommend more independent reviews of our critical infrastructure.
Vaibhav, this is a great article. It is disturbing the lack of security nuclear sites around the world have. I was watching a news story that focused on the United States Nuclear missile sites, and showed the lack of both physical security and the out-dated technology that was being using to safeguard these sites. To think that hackers could potentially cause a nuclear disaster is a scary thought. A topic that is always brushed over in the presidential debate is cyber security, and both candidates don’t seem to stress the importance of it, especially in instances such as this in Germany.