Hackers have been able to breach 'administrative and business networks' of nuclear power plants in the United States, the FBI and the Department of Homeland Security have confirmed.
While networks running nuclear power plant operations were not hit, the cyber-attacks have been accorded the second-highest threat rating by authorities.
A joint investigation conducted by the Federal Bureau of Investigation and the Department of Homeland Security has confirmed that computer networks of several nuclear power plants, manufacturing plants, and some energy facilities have been penetrated by hackers via sustained phishing attacks since May.
Energy firms are 'significantly concerned' about cyber risks
According to The New York Times, while hackers were able to breach corporate networks of the Wolf Creek Nuclear Operating Corporation located in Burlington, Kansas, they could not breach critical networks as they were separated from the Internet as well as corporate networks.
“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” said a spokesman for the Department of Homeland Security.
Since investigators have not been able to analyse any malware injected by hackers into corporate networks of critical infrastructure firms, the real motives of such hackers is not clear at the moment. The objective of the hackers could either be to steal critical technologies or to cause widespread destruction.
None of the 99 electric utilities that operate nuclear plants in the United States have so far reported that their operations were affected by the latest string of cyber-attacks, said John Keeley, a spokesman for the Nuclear Energy Institute to The New York Times.
The rise and rise of infrastructure-focussed malware
The report further claims that hackers specifically targeted industrial control engineers who have direct access to critical industrial systems with phishing emails. If damaged or altered, these systems could cause 'an explosion, fire or a spill of dangerous material'.
The phishing attacks came in the form of fake CVs for industrial control engineering jobs. These CVs were Microsoft Word documents and contained malicious malware that could be used to steal credentials of industrial control engineers and to control industrial networks.
Aside from phishing attacks, hackers also employed other means to gain access to industrial control systems in nuclear power plants. They either compromised websites frequently visited by engineers or redirected their victims’ internet traffic through their own machines.
Enterprise decision makers treat cyber-security as a finite problem that can be solved, reveal experts
These attacks on employees suggests that hackers have been frequently targeting end users with infected email attachments, says Fraser Kyne, EMEA CTO at Bromium. But the latter cannot be blamed as they cannot question every action that they take on a PC. In such a scenario, Kyne suggests that there should be 'a new way of thinking about cybersecurity on the whole as current defences are not up to the task.'
"We can’t continue to expect users to be the last line of defence. By isolating tasks with virtualisation-based security you can effectively nip such attacks in the bud and take the onus and responsibility for security away from the user,” he added.
According to Paul Edon, Director at Tripwire, any business that has an industrial control system footprint should review available ICS Cyber Security Frameworks like “NIST Guide to Industrial Control Systems (ICS) Security” or “CPNI - Security for Industrial Control Systems Framework”.
"This will assist organisations to better understand the challenges, requirements, and responsibilities with regards to Governance, Business Risk, Managing ICS Life Cycle, Education and Skills, Security Improvements, Vulnerability Management, Third Party Risk, and Response Capability," he said.
Source: The New York Times