The chief of the International Atomic Energy Agency (IAEA) has confirmed a targeted attack caused "some disruption" at a nuclear power plant. Yukiya Amano, director of the IAEA, said the attack was not destructive, a term which some have used to describe the 2014 Sony hack because actors destroyed corporate data and denied employees access to some parts of the company's network. Instead he described the attack as disruptive in that the nuclear power plant didn't have to shut down its operations. But that doesn't mean the implications of the attack are any less serious. As the chief told Reuters:
"This is not an imaginary risk. This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it's the tip of the iceberg."
Amano elected to leave some key details out about the attack. For instance, he declined to specify when the incident occurred, although he did situate it in a general time frame of "two to three years ago."
Also missing from the IAEA's assessment is which nuclear power plant suffered the event. The disclosure of the attack comes at a time amid increasing concerns over malware that can affect industrial control systems. In particular, malware known as BlackEnergy earned quite a reputation for itself after researchers confirmed attackers used one of its variants to cause "interference" at the western Ukrainian power company Prykarpattyaoblenergo around Christmas Eve 2015, a campaign which resulted in a local power outage. That's one attack we know about. But there could be dozens more that officials have yet to disclose. Dewan Chowdhury, the founder and CEO of MalCrawler, says we might never hear about some incidents due to a lack of transparency in the industry. As quoted by Threatpost:
"If the attack had happened in the U.S., the plant would’ve had to report it to a regulatory board. Overseas, this could be happening all the time but are they forced to tell the world? Tell the governing body of some agency? There’s the issue, there’s no transparency when it comes to a lot of this stuff, especially when it comes to nuclear cooperatives overseas."
With that in mind, it's up to nuclear power plants to make sure they are protecting their industrial control systems. For some suggestions on how utilities can protect those critical systems, please click here.
