Vaibhav Shukla

Hacking and disrupting nuclear plants is a huge issue. I remember there was a virus called “Stuxnet” that disrupted Iranian nuclear ambitions. It turns out that virus was created by America and Israel. One of the fears with using the virus was the possibility of it getting out and being used on other nuclear facilities. This might be the same type of attack.

As you mentioned about the virus I will illustarte regarding the virus spread in nuclear facility in Germany
The viruses were “W32.Ramnit” and “Conficker” which were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods
W32.Ramnit is designed to steal files from infected computers and targets Microsoft Windows software

Conficker is able to spread through networks and by copying itself onto removable data drives

That is not good news. Luckily it was a “disruptive” attack instead of a “destructive” attack. Hacking nuclear plants can endanger a whole country. Hopefully they are taking the steps to secure their infrastructure to protect them from hackers.

Critical infrastructure protection (or lack there of) really requires some drastic improvements across the globe. Many of the power plants across the globe (including US) are run by antiquated SCADA systems that were not built with security in mind. They are non-current, End-of-Life/End-of-Support and cannot be patched for security vulnerabilities.

Additionally, most of the regulations (e;g. NERC-CIP) are self-attestation as opposed to PCI-DSS which requires an independent QSA to perform an annual review. Self-attestations are not sufficient in assessing security. Employees are sometimes reluctant to self-declare security issues because they are afraid they will be blamed or will be required to put in extra work to fix security flaws. I would recommend more independent reviews of our critical infrastructure.

Vaibhav, this is a great article. It is disturbing the lack of security nuclear sites around the world have. I was watching a news story that focused on the United States Nuclear missile sites, and showed the lack of both physical security and the out-dated technology that was being using to safeguard these sites. To think that hackers could potentially cause a nuclear disaster is a scary thought. A topic that is always brushed over in the presidential debate is cyber security, and both candidates don’t seem to stress the importance of it, especially in instances such as this in Germany.

Thanks for sharing Vaibhav. The greatest way to prevent these scams from being successful is public awareness. Unfortunately, the victims of these scams probably are novice users of the Internet and are not aware of these types of scams. There was a post last week about a crackdown on one of the payment processors for these types of scammers (i.e. PacNet). Disrupting the financial path, is another important step in cracking down on mail/e-mail fraud attempts to solicit payments from victims. I hope the crackdown on PacNet also exposes the scammers that use these services to victimize honest citizens that are just trying to do the right thing.

Yeah correctly said the public awareness is one of the method to prevent such scams.It is often seen that when origin of mails are tracked they come out as some hackers group based outside country.

Like you Jason, public awareness is one of the method to prevent these scams. Unfortunately, these scams are uses highly sophisticated social engineering techniques that can make people feel overwhelmed and obliged to comply. Some of the things that I tell people is never to provide payment information or Social security number over the phone, unless they can provide you a call back number, which you can validate on the institutions website and call the institution yourself.

Nice work. I especially liked the follow-up with looking for User IDs.

I’m not sure what the Cybersecurity posture was for the 200 firms that DFS interviewed, but it seems that the “Proposed Regulation” is trying to catch up to current industry standard and practices. Financial institutions have always been and is the largest target for cyber crimes. Instead of implementing they should be refining their security controls and policies to evolve with the threats.

To be honest, I would be worried if a financial institution did not have these controls in place already. Why is this just now mandatory? Things like: Establishing a cyber security program and policy, conduct assessments and pen testing, and establish written incident response plan as stated in the article should already exist. If I was a CEO of a financial institution that did not already have these in place, I would start working on it immediately, as this “proposed” regulation should been passed years ago.

Vaibhav,
This is a very interesting article and also very eye-opening. It is almost disturbing that the DFS is now proposing new regulations on cyber security requirements for banks, insurance companies, and other financial service institutions. These practices are almost standard in the technology industry. Without these recommended regulations in place, it would be almost impossible to pass an IT audit.

Have to agree with other commenters. Seems like to little, to late.

Wade