If South Korea’s nuclear plant staff are vulnerable, then so are the reactors

Imagine that — now you know which computers operate a nuclear power plant, and who uses them, which departments they work in, and at what times. Suddenly it’s possible to design a very targeted attack on the operators themselves, aimed at fooling them into breaching their own security. Information about people and processes that operate a technology is as valuable to a hacker as knowledge of the technology itself. Not only did Stuxnet damage equipment, it caused the computers to falsely report that all was well to the operators. It doesn’t take much imagination to see how the same could happen to a nuclear power plant — with devastating consequences.

And so although it’s great to hear that the plant operators are running safety drills, I really hope they make sure that their security drills include the vital triad of people, processes, and technology.

The “soft target” of civilian infrastructure
This again points to an important and infrequently discussed problem, the vulnerability of critical national infrastructure. Cyber-attacks like these are a great way of levelling the playing field: why invest in massively expensive nuclear weapons program if you can simply shut down your enemies’ power, gas, water, and transportation systems? Increasingly more and more infrastructure is connected to the Internet, with all the security risks that entails.

And many of these systems — hardware and software — are old, updated far less frequently than a desktop computer at home or at work. Computer security flaws that may have ceased to be a problem in data centers or on desktops years ago might still affect an embedded system running a gas pump, sluice gate or electricity sub-station somewhere.

The U.K. government at least has been on the case for some time, having established the Center for the Protection of National Infrastructure (CPNI) to focus on infrastructure resilience to cyber-attacks. Bringing together various government agencies and businesses, it has made significant progress in at least establishing what might be vulnerable, which is the first step in knowing where to focus your efforts.

There is no room for complacency, however, as every day more systems become Internet-connected, and more security vulnerabilities are discovered. This trend of attaching everything and anything to the Internet — such as with the growing Internet of Things, but not limited to that — is embraced even more enthusiastically in Europe and the United States. Take a look at search engines like Shodan or Thingful which show locations of online devices, and see just how widespread the Internet of Things has already become.

This problem will not go away. It is a fact now and will only grow in the future. Security is possible only by including people and processes as well as technology. And anyone who relies solely on security through obscurity is doomed to fail.

Alan Woodward is Visiting Professor at University of Surrey. This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).