The post mortem analysis of most cyber attacks often reveals that indicators of compromise were present leading up to the incident, but the dots were not connected early enough. In October of this year, India’s Kudankulam Nuclear Power Project (KNPP) nuclear reactor complex suffered what they now have termed a cyberattack. Originally it was not characterized as such. To be clear, an attack like this can happen to any organization. KNPP was just the latest victim. When it comes to this type of security breach, it is really quite simple. The data doesn't lie.
Reported malware infection at KNPP nuclear facility
On October 29th, the company released a statement denying reports that one of its power plants had suffered a cyber-attack. Officials stated, “any cyber attack on the Nuclear Power Plant Control System is not possible”.
October 29th memo issued by KNPP
October 30th memo issued by KNPP
The next day, KNPP reversed their position. They issued a second communique revealing that malware was found in the system at the KNPP facility and was traced to an “infected PC that belonged to a user who was connected to the internet connected network for administrative purposes”.
Almost immediately, experts including Pukhraj Singh, a former security analyst for India's National Technical Research Organization (NTRO), took to social media stating that the security incident went deeper than reported by the company.
In the ensuing three week period new data “dots” have been revealed, including the fact that KNPP had issued a tender earlier this year to purchase Windows based PCs. In the ensuing time period, several of the facility's reactors needed to be shut down due to what was reported as an “SG level low” alarm.
Media reports issued this week attributed the attack to North Korea and to date pundits in the field have been quoted in the press as saying, “there is not enough transparency on what actually happened with the cyber attack at KNPP”.
KNPP is not alone or unique in how it has and continues to respond to what has been verified as a cyber attack on a nuclear plant. In many ways, it should be recognized that KNPP was able to respond and avoid any catastrophic failure at the plant. The question is, could they have known about the attack earlier?
More than ever, cyber attacks on critical infrastructure are occurring with frightening regularity. Rogue factions and “unfriendly” governments are taking advantage of IT/OT convergence which eroded the traditional air gap to compromise industrial networks that often lack the same level of security as their sister IT networks. Once hackers gain access, they can perform reconnaissance and gain “red button” functionality to modify industrial processes in ways that can cause more damage than a traditional missile attack.
Preventing future cyber attacks
One of the lessons we can learn from the KNPP incident is the need for situational awareness when it comes to securing OT environments, including the ability to maintain a real-time inventory of assets. To complement this visibility, active threat hunting can be achieved through “device integrity” or actively querying devices such as PLCs and DCSs in their native language to detect unauthorized changes .
Meanwhile, the introduction of IoT technology in OT environments exposes industrial assets to new risks. Maintaining an up to date inventory of deployed assets along with granular detail such as the make, model number and manufacturer, patch levels and configurations can provide deep insight into what devices are operational at any point time, which need to be updated due to vulnerability disclosures and which require maintenance or rotation out of the OT environment.
In terms of detecting potential malware, OT should adopt the “onion” approach commonly used in IT security. This requires a multi-threat detection engine that searches for policy violations and also looks for anomalous behavior which is unique and specific to each environment. It also includes the practice of “crowd sourcing” data on new threats, which can be accomplished by centralizing anonymized intelligence across multiple companies and industries to uncover indicators of emerging attacks and provide participating organizations with “digital inoculation” against them earlier.
A robust and forward leaning approach to securing critical infrastructure and manufacturing environments requires the same rigor as we have deployed in IT for decades. The combination of constant employee training, deploying the right security with cooperation between IT and OT, and the perpetual examination and reexamination of policies and procedures will help organizations gain the situational awareness needed to identify security threats earlier and protect themselves against industrial cyber security risk.