This post is also available in: עברית (Hebrew)
Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries. Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant, according to security consultants and an urgent joint report issued by the Department of Homeland Security and the FBI recently.
The report did not indicate whether the cyberattacks were an attempt at espionage, such as stealing industrial secrets, or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims’ computers into the control systems of the facilities, nor is it clear how many facilities were breached. Wolf Creek officials explained that while they could not comment on cyberattacks or security issues, no “operation systems” had been affected and their corporate network and the internet were separate from the network that runs the plant.
The hackers appeared determined to map out computer networks for future attacks, the report concluded. But investigators have not been able to analyze the malicious “payload” of the hackers’ code, which would offer more detail into what they were after. John Keeley, a spokesman for the Nuclear Energy Institute, which works with all 99 electric utilities that operate nuclear plants in the United States, said nuclear facilities are required to report cyberattacks that relate to their “safety, security and operations.” None have reported that the security of their operations was affected by the latest attacks, Mr. Keeley said.
According to the New York Times, in most cases, the attacks targeted people — industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material. The origins of the hackers are not known, But the report indicated that an “advanced persistent threat” actor was responsible, which is the language security specialists often use to describe hackers backed by governments.
Hackers wrote email messages containing fake résumés for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said. The fake résumés were Microsoft Word documents that were laced with malicious code. Once the recipients clicked on those documents, attackers could steal their credentials and proceed to other machines on the network.
Energy, nuclear and critical manufacturing organizations have frequently been targets for sophisticated cyberattacks. The Department of Homeland Security has called cyberattacks on critical infrastructure “one of the most serious national security challenges we must confront.”
On May 11, during the attacks, President Trump signed an executive order to strengthen the cybersecurity defenses of federal networks and critical infrastructure. The order required government agencies to work with public companies to mitigate risks and help defend critical infrastructure organizations “at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
Jon Wellinghoff, the former chairman of the Federal Energy Regulatory Commission, said in a recent interview that while the security of United States’ critical infrastructure systems had improved in recent years, they were still vulnerable to advanced hacking attacks, particularly those that use tools stolen from the National Security Agency.
In 2008, an attack called Stuxnet that was designed by the United States and Israel to hit Iran’s main nuclear enrichment facility, demonstrated how computer attacks could disrupt and destroy physical infrastructure. The government hackers infiltrated the systems that controlled Iran’s nuclear centrifuges and spun them wildly out of control, or stopped them from spinning entirely, destroying a fifth of Iran’s centrifuges.
In retrospect, Mr. Wellinghoff said that attack should have foreshadowed the threats the United States would face on its own infrastructure. Critical infrastructure is increasingly controlled by supervisory control and data acquisition systems. They are used by manufacturers, nuclear plant operators and pipeline operators to monitor variables like pressure and flow rates through pipelines. The software also allows operators to monitor and diagnose unexpected problems.
But like any software, these systems are susceptible to hacking and computer viruses. And for years, security specialists have warned that hackers could use remote access to these systems to cause physical destruction.