Тhe head of the International Atomic Energy Agency (IAEA), Yukiya Amano, announced this week that a cyber-attack has affected a nuclear power plant at some point during the last couple of years.
He didn’t reveal when exactly the attack occurred or which plant it affected, but he said it caused a “disruption” in the daily plant`s operations and the facility had to take precautionary measures to mitigate it. He warned about potential future attacks of the same kind and said that the idea of cyber-attacks affecting nuclear infrastructure isn’t an “imaginary risk”.
“This issue of cyber-attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything, or if it’s the tip of the iceberg.” – Amano told reporters in Germany.
The incident has remained unknown until now but all Amano was willing to say was that it happened “two to three years ago”. No more details were disclosed and it is unclear if they will ever be.
Dewan Chowdhury, the founder and CEO of MalCrawler, which protects ICS and SCADA systems from malware attack, said that since there isn’t any more detailed information it is not possible to say what had happened.
“It could be ransomware, malware, a targeted attack; it’s anyone’s guess what it could be.” – Chowdhury said.
Chowdhury added that he hopes the IAEA’s confirmation of an attack, no matter how long ago it occurred, would help clarify the incident. He also said, though, that he wasn’t surprised to hear about the case.
“It’s not a surprise that it’s happening.” – Chowdhury said – “Personally, I think people aren’t disclosing it. It’s probably happening more than people think.”
Chowdhury also emphasized that, in 2015, the government responded to 295 incidents, and the second largest number of attacks, limited by sector, was 46 against energy, according to the annual Year in Review reports of Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Moreover, Chowdhury said the lack of independent agencies aboard, like America`s Nuclear Regulatory Commission, may be contributing the rising number of undisclosed incidents.
“If the attack had happened in the U.S., the plant would’ve had to report it to a regulatory board.” – Chowdhury said – “Overseas, this could be happening all the time but are they forced to tell the world? Tell the governing body of some agency? There’s the issue, there’s no transparency when it comes to a lot of this stuff, especially when it comes to nuclear cooperatives overseas.”
In February, ICS-CERT finally officially confirmed that the outage in Ukraine last December is connected to the BlackEnergy malware. The crooks behind this attack used BlackEnergy-laden phishing emails as a vector to obtain legitimate credentials for three regional electric power distribution companies in Ukraine and left 250,000 people with no electricity.
Before the Ukraine attack, Chatham House, a London-based independent policy institute, warned that the risk or cyber-attack against nuclear infrastructure is rising. In a 52-page report, they are alarming that the proliferation of supply chain vulnerabilities combined with the lack of employee training, will eventually lead to such an incident.
As a response, Amano said that IAEA uses nuclear information from 131 countries to provide better cybersecurity training with radiation detection devices to its employees. In June 2015, the agency held a summit around cybersecurity, the International Conference on Cyber Security in a Nuclear World, in Vienna. Amano also shared with the reporters that he is planning to make it a primary topic at another summit, the International Conference on Nuclear Security: Commitments and Actions, slated for December.