As continued fallout from the recent NotPetya attack unfolds, we now discover that one of our own nuclear facilities was penetrated.
While there was no indication that the attack affected any of the critical infrastructure, and forensics now suggests that the penetration was limited to the business side of the network, that fact alone increases the overall vulnerability.
As we all know, the intrusion on the business side will serve as an information-gathering foray to develop further insight as to the defensive posture on the operational side.
In addition to the Intel gained about the targeted site, the upstream value could involve other nuclear facilities as well as many use the same or similar network protocols and topologies. The Nuclear Regulatory Commission and the International Atomic Energy Agency have both maintained a non-alert, no-direct-risk communication posture since the attack, publicly stating that the strike was not serious enough to prompt notifications from the public safety systems. And, of course they won’t tell us which site or sites were affected.
From where I sit, a breach to the business-associated side of a nuclear power plant is highly severe and should be cause for not just concern but action from the DOD and DHS and at least the Congress. Someone in a Cybersecurity seat at the Federal level knows that the business side of the network has a lot of high-value information about the less well-protected infrastructure side of these plants. If they don’t, let me suggest a couple of problems.
Emails and other communications involving design plans, results from security assessments, emails or documents containing passwords, and actual network design documents are just a few of the artifacts likely to be accessible from an intrusion on the business side. This stuff is commonly used to create targeted spear-phishing campaigns that masquerade as existing vendors based on email threads accessed via compromised inboxes.
A recent and glaring example of this is the leaked National Security Agency intelligence report documenting the extent to which Russia interfered (or didn’t) in the 2016 US election. According to the reports, Russian military intelligence launched cyberattacks on US voting software suppliers and drove a spear-phishing email campaign to hundreds of local election officials prior to the November election.
This is actually a lower grade and relatively unsophisticated approach to hacking that resembles the OPM breach back in 2014. It demonstrates that our Cyber-defenses are such that a dummy with a $50 exploit kit and a laptop can collect enough information to take down a nuclear power plant.
We can probably accommodate the naiveté of those in charge back in 2015 when the OPM breach was discovered, and cut some slack on the basis that this cyber-attack stuff was pretty new and was happening infrequently and mostly under the radar back then. But it is now mid-way through 2017.
There have been not only and increase in the quantity and size of cyber-attacks on business, institutions and government agencies, but they are happening almost daily. The sophistication has been dialed way up as well. The attackers are increasingly state-sponsored. The attacks themselves are now even socially-engineered. They are disguised as Ransomware when in reality they are fact-finding soirees bent on discovery and Intel. They are even dis-respectful to the victims. The most recent “ransomware” attacks didn’t bother keeping a payment channel open or disguising the nature of the data destruction so that the victims would at least have thought that they could get their information back. No. The PetYa attack showed us that the bad guys have almost no regard for our defensive abilities, nor do they seem to care what our response might be.
So, two weeks ago we had a disruption to the international marine transportation supply chain where the world’s largest shipping line is crippled and then used as a contagion-accomplice to spread the virus to the port operations at which it disembarks its cargo.
What do we have tomorrow? Will it be nuclear facilities taken off-line to prevent melt-downs? Maybe it will be the indefinite interruption of the water supply to all of Southern California? Perhaps we will see thousands of airplanes frozen on runways because our traffic control systems have been penetrated?
We now know that it can be all of these things and much, much more.
But apparently, none of this is a problem, because instead of firing up the mother of all moon-shots and attacking this threat with every weapon available, the 115th U.S. Congress is busy trying to decide whether it should recess for the summer or spend more time screwing around with an Obamacare replacement.
Talk about fiddling while Rome is burning.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management