Can Nuclear Power Plants Be Hacked?

Transcription edited by Suki T

[Ran] Hi and welcome to Cybereason’s Malicious Life, I’m Ran Levy. Today we’ve got a somewhat different episode for you. Instead of talking about ransomware, DDoS attacks, and many other threats that we usually cover in Malicious Life, we’ll turn our attention to the world of industrial cyber security and a potentially much more dangerous threat, hacking into the control systems of a nuclear power plant. It is a risk that oddly does not receive its fair share of attention compared to the daily headlines about data breaches to multinational organizations. Perhaps because most of us have no idea about the inner workings of a nuclear facility, the systems that control its functions and their potential weaknesses. So in this episode, we’ll hear an interview with Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, by Nate Nelson, our senior producer. We had Andrew in our show several times in the past, since he is a fantastic and insightful expert in that relatively unknown branch of cyber security. As some of you might already know, Andrew and Nate are also the hosts of our, you might say sister podcast, the Industrial Security Podcast, which is a bi-weekly show that focuses on cyber security in industrial facilities such as power plants, petrochemical facilities, even mining and airlines. If you find industrial cyber security interesting, search for the Industrial Security Podcast at all the usual podcasting apps. So, without further ado, here are Nate and Andrew discussing cyber security at nuclear power plants. How protected are modern nuclear facilities? Have there ever been cases of hacked power plants? What are the risks of such a cyber attack? And of course, much, much more. Enjoy.

[Nate] Andrew, if you could start off by briefly introducing yourself.

[Andrew] Sure, Nate. I’m Andrew Ginter, Vice President, Industrial Security at Waterfall Security Solutions. You know, me personally, I spent 20 years developing industrial control systems, you know, IT/OT middleware that connects control systems to enterprise systems. I spent another 10 years developing industrial cyber security products to protect industrial control systems. And I spent the last 10 years at Waterfall Security here, where I work with some of the world’s most secure industrial systems and, you know, look at how to keep them secure.

[Nate] First question, can nuclear facilities be hacked?

[Andrew] That’s a tricky question. I will say generally no. But, you know, it depends. An absolute answer to that is very difficult. The facilities that I’m most familiar with are the Canadian and American nuclear generators. And I can say pretty confidently that they are going to be next to impossible to hack. I am familiar to a lesser degree with facilities elsewhere in the world. You know, there have been reasonably credible reports of issues with cyber security in some of the less developed countries. But I will say that in my best information, you know, North American citizens should rest easy. This is not something they should worry about.

[Nate] Right. Although most of our listeners will have some familiarity with nuclear incidents of the past. I’m thinking Chernobyl. I’m thinking Fukushima. So clearly there’s something to worry about here, right?

[Andrew] There is absolutely. So, you know, these physical processes, when they malfunction, this is a very serious concern. So is there risk? Is there something to protect? Yeah, there’s definitely something to protect. You know, next level of detail at Chernobyl, plant operators were carrying out a very ill-advised test, presumably, you know, at the behest of their political masters, and wound up ignoring and, you know, breaking a lot of policy and procedures, not on the cyber side, just on the safety side, and wound up with the core blowing up and, you know, contaminating a huge swath of land. So, yes, there’s something to be concerned about. Fukushima, similarly, was not a cyber incident. Don’t get me wrong. But it was physically a problem where most of the world’s nuclear generators are what are called second-gen generators, and the second-gen technology, even if you shut down the core, the radioactive core that produces the energy, even if you shut it down, you still have to actively cool the core. And at Fukushima, a tidal wave came in, you know, triggered a shutdown of the core and flooded the backup generators. These are the generators that produce. The diesel generators that produce the power to cool the core. Now, the core heated up because there was no cooling at all. The backup, the cooling system had been impaired, and over time, and it took a couple of days, the core got so hot that it basically exploded. You know, there’s more detailed chemical explanations, but it exploded and, again, released toxic amounts of radiation. So there’s certainly something to worry about. This is why we have physical security programs for these sites. This is why we have cyber security programs.

[Nate] So it sounds to me like you’re saying that nuclear facilities are, to some extent, unhackable. But, Andrew, what does that really mean? Are you telling me that there are no computers at all in any nuclear generator? Because I would imagine if there are computers, then there is some way to hack them.

[Andrew] You’re right. Any computer is hackable. Are there no computers in nuclear generators? No, there’s, as far as I know, there’s computers pretty much everywhere. The question is, what do these computers do? And while I said, you know, most of the world’s generators are what are called second-generation generators, that’s kind of where the similarity ends. Every nuclear generator is different and is instrumented differently. So, you know, let me give you sort of a best-case example. Some of the very oldest instrumentation is still what’s called analog. It is switches, it’s dials, it’s cabling. There’s no computers involved. And so, in a sense, that stuff, that analog stuff, is unhackable. I mean, the only way to hack it is to stand there and, you know, switch the cables. Or you’ve got to physically be there to affect the system. Now, you know, that tends to be in place for some of the oldest systems. But even the oldest systems do have computers. What are the computers used for? They’re secondary systems. They’re used to increase the efficiency of operations. They’re used to measure certain things so you can predict when things need maintenance and so on. But they’re not controlling things directly. Or they might be secondary controls. They might be sort of easier to use controls. But if you hack the computers, you still have the analog controls to fall back on, and the analog controls to tell you if something is going wrong. But there are other generators that are configured with sort of computers throughout. They may have analog fail-safes, like overpressure valves. If the pressure in something gets too high, you know, a spring is forced to open and the pressure is released into a containment so that, you know, again, you don’t have radiological release. But the actual control of the reactor might be done by computers. And in those sort of newer generation control systems, yeah, the prospect of cyber sabotage is something that has to be taken much more seriously.

[Nate] So is the distinction here a generational thing, as in newer machinery relies more so on digital systems and older machinery on analog systems?

[Andrew] I guess the short answer is yes. But the long answer is always more complicated. Now, as I said, some kinds of safety systems are physical. They’re not even electronic, you know, a spring-loaded valve. And they’re therefore unhackable. Even in the most modern systems, they will use physical safeties wherever it’s practical. And yes, the very oldest systems are analog. But most nuclear generators, like most industrial control systems, they use a mix of ages of technology. When a computer is sort of tightly coupled to a physical process, a device or, you know, a turbine or something, these computers can be very difficult to upgrade. And so you often wind up with a mix of very new equipment and very old equipment in all industrial sites, including nuclear sites. But even the older equipment, cyberwise, has its own problems. Even if there is, in a sense, less reliance on it, because it’s so very old, its vulnerabilities are well known. It may be out of support. You may not be able to get fixes for the vulnerabilities anymore. And so that old stuff tends to be, in a sense, a softer target if an adversary can get anywhere near it, cyberwise.

[Nate] Okay, so we’ve established that digital systems do have a role in nuclear facilities. But something I hear from you often, Andrew, is that anywhere that information can go, so can malicious information. So what constitutes strong security here? How do you ensure that, you know, hacks don’t come through?

[Andrew] You know, the common attack pattern that the modern attack pattern that everybody worries about on the industrial sites looks like this. You’ve got a bad guy on the internet who has somehow gained control of a computer on the enterprise network, the business network. They might have stolen a password with phishing emails. They might have tricked someone into downloading malware and running it. They might have tricked someone into opening an attachment in an email and running a piece of malware. And that malware would call out to the internet and give the attacker control of the machine that the malware is running on. So somehow they got control of a machine. And now they look around, they steal more passwords. They steal other kinds of sort of technical under the hood credentials that Windows uses to authenticate machines. They move around to other machines and they eventually find their way through a firewall into a control network or into an almost control network. And then they repeat the process to get through another layer of firewalls into the real control network. There tends to be a couple of layers of firewalls involved. And once you’re in the control network, you can look around, you can do nasty stuff. You know, the easiest thing you can do is, I don’t know, encrypt a bunch of hard drives and shut everything down. Much nastier stuff is possible. And so, you know, what we observe in North America and, you know, in much of the rest of the world, but I don’t have, you know, my best information is North America. In North America, nobody connects the control network on any kind of nuclear generator to the IT network through one or more layers of firewalls. That’s, you know, given the regulations in North America, it’s almost illegal to do that. In practice, nobody does it. They throw what’s called a unidirectional gateway in between. This is a device that lets you see what’s happening in the control network so that you can, you know, learn about what’s happening and figure out how to optimize operations, figure out how to reduce costs. This is important, but there’s physically no way to get any information into the network. How does it work? There’s a laser in the equipment in the control network. There’s a short piece of fiber and there’s a photocell in the equipment outside the control network. And so, you can send information. You can beam the laser from inside the control network, send information to the outside, but there’s physically no laser in the receiving circuit board. It cannot send any light back, any signal back into the control network that might cause a malfunction of the control network. And this class of technology, to my best knowledge, in Canada and in the United States is used at 100.0% of nuclear generators. So, there is simply no path for an internet-based attacker to send any message into the control network. You know, any breach you hear about, oh, you know, nuclear generator got hacked, blah, blah, blah, go read that breach very carefully. Everyone that I’ve seen, they hacked the enterprise network. They did not get into the control network. And there’s a reason for that.

[Nate] All right. So, that suffices as an explanation for how you might deal with more conventional online attackers. But of course, there’s always more than one way to skin a cat. How do you deal with a more enterprising hacker, a more motivated hacker who literally shows up in the parking lot of a nuclear facility with an infected USB, a laptop?

[Andrew] So, an offline attack like that, you know, I mentioned that these nuclear generators, they use sort of classic IT and industrial security techniques as well. They do use them. They apply them consistently. They apply them sort of intensely. You know, concrete example, let’s say we had a malicious individual who had deliberately put a nasty on their USB and they want to carry that USB from their hotel room into the control network. How’s that going to work? And, you know, some of this, I’m going by feel. I have only indirect evidence of some of this because I’ve never set foot inside of the control network of a nuclear reactor. I don’t need to be in there. You know, I give advice from the outside. I don’t need to be in there. They don’t let me in there. That’s part of it. You know, mere mortals don’t get into those places. You want to get into that place, A, you know, you’re going to have a background check. You might need a national security clearance. So, these people are going to determine, do you have an ax to grind? They determine not only do you have an ax to grind, they determine, you know, are you vulnerable to coercion? Do you gamble? Do you have debts? Do you have people who can lean on you to do favors for them? Everyone like that is barred from setting foot in these control networks. And so, A, it’s very unlikely that someone like that, that anyone who is trusted to set foot in there is going to be malicious and is going to load anything on their USB. So, that’s the first step. You know, second step is you got to get through physical security. You got to prove that you are who you say you are. And once you get anywhere near the industrial control system, you’re not going to be able to carry a USB through there. They’re going to ask you to empty your pockets, empty your briefcase. You can’t just walk into there. And if you have a legitimate reason for carrying information into the control network, for instance, you might be the systems integrator. You might have a new version of the control system on your USB that you have tested in your lab and now you’re carrying into the site. Well, when it’s carried into the site, they’re going to redirect you. You have no business carrying that into the control network. You can carry that into the test bed if you’ve got, you know, the paperwork authorizing you to bring it in there. And when you bring it into the test bed, you don’t carry it through security and plug it into the test bed. It gets dropped into a scanning kiosk, which has got, you know, between usually eight and 12 antivirus engines running on it. You stick the device in, you scan the file or the three files that you need to carry into the test bed for any kind of known malware. And then the files that scan clean, you copy to brand new media. It’s not a USB anymore. USBs have CPUs in them. There’s firmware in those CPUs. The CPUs could be compromised. The USB stick itself, forget the information, the stick itself could be compromised. So you leave the stick behind, you burn the files to a brand new write one CD that’s sitting in a stack there beside the kiosk. You carry that into the test bed. And then these people, you know, these engineers, they’re going to test this software on their own test bed, thank you, for weeks and months, sometimes years before they trust it to move from that test bed into the production network. And if there’s anything nasty, you know, these test beds are not just instrumented to make sure that the software functions correctly, to make sure that the software functions safely. They’re instrumented to detect any suspicious functionality in the software as well. And so they don’t move anything. And it’s not going to be, you know, the systems integrator that moves it from the test network into the production network. It’s going to be the plant’s own engineers who do that after they’ve used and tested this thing for a very long time. So nothing is perfect. The goal with cybersecurity here in this scenario and in any scenario is to make cyber attacks with serious consequences, practically impossible, not theoretically impossible. That’s impossible. But to make these things so difficult that in practice, it just doesn’t work. And even the most sophisticated of adversaries really have no hope of messing with the cyber stuff in the most sensitive of the control networks.

[Ad] If you’re a defender fighting cyber attackers, you must be successful every time. They only need to be successful once. Cybereason reverses the attacker’s advantage and cyber attacks from endpoints to everywhere.

[Nate] So in the entire history of the space, have there actually been any hacks of nuclear control computers?

[Andrew] There have been. And, you know, some of the most public ones now, you know, some of the stories, you got to read them carefully. Some of them say, oh, there was a problem at a nuclear reactor with a computer. You know, there was one, I forget when it was, but it was one of the computers in the control network. I mean, these things age and it malfunctioned. And the nature of the malfunction was such that, you know, one of the chips started sending out a message at high speed into the local network. And that caused another computer to malfunction because it couldn’t handle the volume of traffic. And the whole thing, you know, the safeties all kicked in and it shut down. And they said, oh, that was a cyber incident. Well, it wasn’t a hack. It was a mistake. It was a malfunction. It was not that anybody managed to get a nasty past security into the control network. It was a malfunction. Now, you know, have nasties made it into control networks? No, but there are widely publicized reports. So for instance, the 2003 Davis-Besse plant in Ohio, the SQL slammer worm got into some of the computers, got fairly close to the control network. In fact, I think the report was, this was back, this was 2003, before there was a lot of cyber security around. The systems actually did get into some of the control computers, but this was 03. The control computers were there sort of as efficiency enhancing computers. The analog backups still controlled the plant. And so even though the control computers went down, you know, plant operations were unaffected because the analog system was unaffected. You know, a more modern example, 2019, the Kudankulam plant in India was breached on its IT network. Nothing got into the control network. Why? You know, I’ve never seen the plant. The news reports basically said it was air gapped. I’m not surprised. Air gaps make sense, especially in organizations that may not have the capacity to carry out some you know, more sophisticated types of defenses. 2014, South Korea hydro and nuclear. You know, the North Koreans are accused of breaking into the company and stealing employee data on the IT network. Never got in to the control network. 2014, there was an attack on a German nuclear plant. It was a cyber attack. It did get into the fuel modeling system. This is an engineering system. It’s a system you use to predict what’s happening to the fuel in your nuclear reactor. It was not the control network. You got to bear in mind, you get what you pay for. Nuclear generators are going to defend their most sensitive networks the most vigorously. That a hacker gets into a less sensitive and a less thoroughly secured network doesn’t mean anything for, you know, how secure the most secure networks are. The fact that you get into the IT network means that the IT network is less thoroughly defended than your control network. This is how it’s supposed to be.

[Nate] All right, Andrew, to finish things up here, what is the bottom line? What should we be taking away from this?

[Andrew] So here, I think it is how I’d sum up. Is there any reason to worry about nuclear generators? Yes, the consequences of malfunction are serious. This is why we have cybersecurity programs. In the world, are there nuclear generators whose cybersecurity we should worry about? Probably. I don’t know. My best information is for North America. I have less information about the rest of the world. I know that some of the rest of the world is very thoroughly cybersecurity. The rest of it, I’m not sure of. And there have been reports that are concerning. In North America, in Canada, the United States, the nuclear generators I’m most familiar with, I do not lose sleep about their cybersecurity. And don’t get me wrong, I’m not saying that it’s absolutely impossible to attack these folks. Nothing is ever completely theoretically safe or theoretically secure. Safety and security are a spectrum. We can always be more secure. We can always be less secure. What I’m saying is that a cyber breach, a serious cyber breach of the control systems in these reactors is not theoretically impossible, but it is practically impossible. The consequences are serious. And so the people that I see working with cybersecurity in these generators take the question very seriously. They apply all sorts of cybersecurity techniques. They apply them, in a sense, in the extreme. They do pretty much everything that makes any sense to do, and then some. Other industries, when another industry is looking around saying the threat environment is getting worse, we have to up our game, they’ll often look at the nuclear security and say, okay, you’re doing a bunch of stuff we’re not doing. And they pick and choose. We’ll say, we’re going to do that. We’re going to do this. And they take practices out of the nuclear practice into their own practice and up their game. The nuclear cybersecurity programs and cybersecurity teams are leaders in the world. And this is how it should be. This is the reason that I sleep well at night. This is the reason I don’t worry about cybersecurity in nuclear generators, at least in the geographies that I’m most familiar with.