By Antony Daly – Security Analyst at PGI
The German utility company, RWE, announced last week that their Gundremmingen nuclear power plant had been infected with computer viruses including ‘W32.Ramnit’ and ‘Conficker’. RWE were at pains to point out that there was no threat to the facility due to it not being connected to the Internet and the malware concerned not targeted at ICS / SCADA systems. However, the system which was affected was associated with plant equipment used for moving nuclear fuel rods – hardly ideal. As a precaution, the plant operator shut down the plant. A move which wasn’t taken lightly one would expect and will result in significant reputational and financial damage.
Whilst many questions will be asked in the investigation going forward, one which will sit at the top of the pile will be how was the network infiltrated? Was it a new APT or a criminal mastermind? The answer is neither – it is believed it was an employee who plugged in a personal USB stick into the plant network after using it on the corporate network or on their personal machine at home.
Employee Education is Crucial
Could this have been avoided? Absolutely. Employee education is critical. As an employer, there is an expectation that duty of care is provided to your employees. There is a multitude of well-being programmes, drug and alcohol awareness programmes, and avoiding stress in the workplace and so on. Yet, when it comes to cyber security awareness, there tends to be a mindset of ‘another I.T. related issue – let’s just pay lip-service to it’. There needs to be a focussed effort on educating and training employees on the risks that they face when they log on to a computer and inadvertently browse to a suspect web page through a link or open an attachment from an untrusted source.
Using the above incident as an example, one employee has managed to shut down a nuclear plant’s nuclear rod handling system through the use of a USB transportation device. Undoubtedly, yes, they shouldn’t have done it and it highlights a worrying laissez-faire attitude to cyber security. However, the question that should be asked is ‘Why were they allowed to do it?’
Employee education is critical. Recent research by CompTIA has indicated that the top cyber risks include human error and inadequate user education. I’m not suggesting for one second that a company as large as RWE do not have an acceptable user policy for their various systems. If there was such a policy in place and the employee breached it, then little sympathy will be given to the employee concerned. The use of such policies will greatly reduce the chances of contamination through the use of USB transportation devices.
However, this incident raises more questions other than was there an acceptable use policy in place? In an air-gapped system, is there a real business requirement for allowing external transportation devices to be connected to your Operational Technology networks? Indeed, one of NIST (National Institute of Standards and Technology)'s cyber security framework sections calls for access control to protect assets.
Whilst it is very easy to sit here and preach about what could have been done differently, it is of more benefit to take away the lessons learned and ask yourself some questions on the state of your own networks. Do you really have a critical business requirement for allowing external storage devices to be connected to your networks (including Operational Technology networks)? Have you got an effective employee cyber security awareness programme in place? Is it tailored to suit all employee levels including contractors and employees who don’t use a computer terminal for their day to day work and is it classified as mandated regular training?
Ask the Experts
If you have answered no to any of the above, don’t panic – speak to an expert on how you can rectify any shortcomings and educate and train your workforce to be more cyber aware. Whilst it is very easy to take the path of least resistance when it comes to cyber security, don’t make life more difficult than necessary by doing so. Can you afford to be the next case study?