Protecting Against Critical Infrastructure Attacks: Nuclear and Otherwise

March 2, 2015
High impact targets must use the same authentication security measures and transparency required of other industries

The Nuclear Regulatory Commission (NRC) was recently the target of three separate breaches. Why is this important? Created by Congress, the NRC regulates commercial nuclear power plants and other uses of nuclear materials, like nuclear medicine. They regulate three major areas, including:

  •  Reactors - Commercial reactors that generate electric power, as well as reactors used for research, testing and training
  • Materials - The use of nuclear materials in medical, industrial and academic institutions, as well as facilities that produce nuclear fuel
  • Waste - Transportation, storage, and disposal of nuclear materials and waste, as well as decommissioning nuclear facilities when they go out of service

 The NRC maintains databases with information about locations and conditions of nuclear reactors. Yet, despite being the centralized datahub and command center for nuclear control, they were breached by unsophisticated methods. Over the past three years, they have fallen victim to two separate phishing email attacks from foreign states and a third unknown attacker that distributed malware through an employee’s email account.

 An open-records request from revealed that a first phishing attempt targeted 215 NRC employees with an email and a fake link to verify their user accounts that instead led them to a Google spreadsheet - 12 employees fell for the ruse.

 Another phishing email attack contained a link to a Microsoft Skydrive (now called OneDrive) storage site housing malware, and the third attack sent emails with PDF malware attachments containing Javascript vulnerabilities to 16 of an employee’s contacts.

 In an intel report from Mandiant profiling attacks from the Chinese group deemed Advanced Persistent Threat 1 (APT1), researchers showed how attackers would disguise attachments as benign PDFs, when they were actually executable files. By adding over a hundred spaces behind the ‘.PDF’ filename, they were able to hide the .exe extension, in addition to creating a fake Adobe icon to display.

 Other Critical Infrastructure at Risk

 A survey of critical infrastructure companies worldwide, including utility, oil and gas, alternate energy and manufacturing organizations, found that 70 percent had suffered a security breach in the past year, according to the Ponemon Institute report commissioned by Unisys, Critical Infrastructure: Security Preparedness and Maturity.

 The report also found that 40 percent of organizations had only partially implemented employee training of security requirements, and another 17 percent had not implemented training at all. The data perceived as most susceptible to loss was found in applications (35 percent) and databases (34 percent), making remote access to either the clear target for attackers.

 Arguably, most Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems were not built with security in mind, as reports, with a diverse number of vulnerabilities being introduced when the systems were connected with corporate networks and other IT systems. The ability to escalate privileges to access OT systems once IT credentials are exploited is easier to accomplish as they are connected in this environment.

 Back in 2012, an attack against the oil company Saudi Aramco resulted in the compromise of 30,000 (75 percent of the company) compromised computers via a phishing attack carrying a virus (Shamoon), prompting the company to shut down its internal network for a week, according to the Aimed at stopping oil and gas production, the attack shows how successful a low-tech attack like phishing can be when targeted at unknowing employees.

 Authentication Security to Protect Critical Infrastructure

 Although a NRC commission spokesman claimed that every NRC employee undergoes security awareness training to protect against phishing and other types of low-tech, social engineering attacks, relying on human behavior alone to protect our nuclear control center isn’t exactly a fail-safe plan.

 As the critical infrastructure report recommended, deploying better authentication for applications and users is one way to combat remote attacks, with a call for “strictly enforced user credentials” to protect existing network segmentation.

 One of the basic security controls mandated by many different industry data compliance standards includes the use of two-factor authentication. If the healthcare and retail industries require two-factor, then why shouldn’t the critical infrastructure industry? Any VPN or cloud-based login should be protected by two-factor authentication.

 Aside from strengthening your authentication security measures, transparency into attacks and insight into the details can only help bring more awareness to information security issues. As reports, government agencies aren’t required to publicly disclose breaches unless personal information has been exposed. However, this doesn’t account for breaches that may have exposed important information about nuclear power plants or other critical infrastructure data.

 By employing the same authentication security measures and transparency required of other industries, critical infrastructure companies can effectively protect themselves and consumers from potential remote attacks.

 About Thu Pham

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo Security, Pham covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.