The head of an international nuclear energy consortium said this week that a cyber attack caused a “disruption” at a nuclear power plant at some point during the last several years.
Yukiya Amano, the head of the International Atomic Energy Agency (IAEA) didn’t go into detail about the attack, but warned about the potential of future attacks, stressing on Monday that the idea of cyber attacks that impact nuclear infrastructure isn’t an “imaginary risk.’
“This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything, or if it’s the tip of the iceberg,” Amano told reporters in Germany.
Amano refused to disclose much about the attack, electing not to say where or when it happened, but said it managed to disrupt day-to-day operations at the plant. While it wasn’t forced offline, the facility had to take what he called “precautionary measures” to mitigate the attack.
It’s unclear whether Amano will ever disclose which power plant was affected, or when the attack happened. He told Reuters it occurred “two to three years ago,” and declined to get further into the incident, which was previously unknown.
Dewan Chowdhury, the founder and CEO of MalCrawler, a service that protects ICS and SCADA systems from malware, said that since there’s so little information around the attack, it’s too early to pinpoint exactly what happened.
“It could be ransomware, malware, a targeted attack; it’s anyone’s guess what it could be,” Chowdhury said.
Chowdhury said he hoped the IAEA’s confirmation of an attack, even if it was years ago, would help generate awareness around cybersecurity and nuclear issues in the future. That said, he wasn’t surprised with Amano’s statement.
“It’s not a surprise that it’s happening,” Chowdhury said of the disruption. “Personally, I think people aren’t disclosing it. It’s probably happening more than people think.”
Chowdhury pointed out high numbers in the Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) annual Year in Review reports, which regularly breaks down the most targeted critical infrastructure sectors. In 2015, the government organization responded to 295 incidents; the second highest number of incidents by sector, 46, pertained to energy
Chowdhury also said the lack of independent agencies aboard, comparable to the United States’ Nuclear Regulatory Commission, could be contributing to a diminished number of attack disclosures.
“If the attack had happened in the U.S., the plant would’ve had to report it to a regulatory board,” Chowdhury said, “Overseas, this could be happening all the time but are they forced to tell the world? Tell the governing body of some agency?”
“There’s the issue, there’s no transparency when it comes to a lot of this stuff, especially when it comes to nuclear cooperatives overseas,” Chowdhury said.
Michael Toecker, the head of Context Industrial Security, a consulting firm that specializes in the cyber security of industrial control systems, said it’s unlikely that the IAEA was talking about a new event. He said that more than likely it was an event previously made public that was “run of the mill and handled by plant personnel.”
Whatever the case, Toecker warned that the IAEA’s statement should be taken with a grain of salt.
“Nuclear is a nice boogeyman to pair with the cyber boogeyman, and it’s very easy to build up a run of the mill virus into an ‘attack’, especially when you give a nice teaser and no substance,” Toecker said, “The public should be wary of individuals who engage in this practice.”
It took a few months but ICS-CERT officially confirmed in February there was a connection between BlackEnergy malware and an outage in Ukraine last December. Attackers obtained legitimate credentials for three regional electric power distribution companies in Ukraine via BlackEnergy-laden phishing emails as a vector. They went on to knock roughly 225,000 customers on the power grid offline.
Chatham House, a London-based independent policy institute, warned last fall, prior to the Ukraine incident, that the risk around nuclear infrastructure cyber attacks was growing. In a 52-page report, the think tank cautioned that the proliferation of supply chain vulnerabilities, paired with a lack of training in the industry, could lead to an attack sooner than later.
Amano claims the IAEA, a nuclear energy watchdog formed by the United Nations in the 1950s, is providing employees with cybersecurity training with radiation detection devices, and a specialized database that includes nuclear information from 131 countries to better educate its workers.
The agency held a summit around cybersecurity, the International Conference on Cyber Security in a Nuclear World, in Vienna, in June 2015, to foster dialogue and discuss challenges related to in the industry. Amano told reporters on Monday that he plans to make it a primary topic at another summit, the International Conference on Nuclear Security: Commitments and Actions, slated for December.