The head of an international nuclear energy consortium said this week that a cyber attack caused a “disruption” at a nuclear power plant at some point during the last several years.
Yukiya Amano, the head of the International Atomic Energy Agency (IAEA) didn’t go into detail about the attack, but warned about the potential of future attacks, stressing on Monday that the idea of cyber attacks that impact nuclear infrastructure isn’t an “imaginary risk.’
“This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything, or if it’s the tip of the iceberg,” Amano told reporters in Germany.
Amano refused to disclose much about the attack, electing not to say where or when it happened, but said it managed to disrupt day-to-day operations at the plant. While it wasn’t forced offline, the facility had to take what he called “precautionary measures” to mitigate the attack.
It’s unclear whether Amano will ever disclose which power plant was affected, or when the attack happened. He told Reuters it occurred “two to three years ago,” and declined to get further into the incident, which was previously unknown.
Dewan Chowdhury, the founder and CEO of MalCrawler, a service that protects ICS and SCADA systems from malware, said that since there’s so little information around the attack, it’s too early to pinpoint exactly what happened.
“It could be ransomware, malware, a targeted attack; it’s anyone’s guess what it could be,” Chowdhury said.
Chowdhury said he hoped the IAEA’s confirmation of an attack, even if it was years ago, would help generate awareness around cybersecurity and nuclear issues in the future. That said, he wasn’t surprised with Amano’s statement.
“It’s not a surprise that it’s happening,” Chowdhury said of the disruption. “Personally, I think people aren’t disclosing it. It’s probably happening more than people think.”
Chowdhury pointed out high numbers in the Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) annual Year in Review reports, which regularly breaks down the most targeted critical infrastructure sectors. In 2015, the government organization responded to 295 incidents; the second highest number of incidents by sector, 46, pertained to energy Chowdhury also said the lack of independent agencies aboard, comparable to the United States’ Nuclear Regulatory Commission, could be contributing to a diminished number of attack disclosures.
“If the attack had happened in the U.S., the plant would’ve had to report it to a regulatory board,” Chowdhury said, “Overseas, this could be happening all the time but are they forced to tell the world? Tell the governing body of some agency?”
“There’s the issue, there’s no transparency when it comes to a lot of this stuff, especially when it comes to nuclear cooperatives overseas,” Chowdhury said.
Michael Toecker, the head of Context Industrial Security, a consulting firm that specializes in the cyber security of industrial control systems, said it’s unlikely that the IAEA was talking about a new event. He said that more than likely it was an event previously made public that was “run of the mill and handled by plant personnel.” Whatever the case, Toecker warned that the IAEA’s statement should be taken with a grain of salt.