As part of The UK’s national infrastructure program (CPNI) energy and civil nuclear facilities are listed as part of the thirteen sectors contained within the Cabinet Office’s Strategic Framework and Policy Statement.
According to a recent report written by Chatham House titled Cyber Security at Civil Nuclear Facilities: Understanding the Risks (October 2015), the risk of a serious cyber security attacks on nuclear facilities is increasing!
This new heightened risk is being driven by a number of factors, including:
- Reliance on digital systems and “off-the shelf” software
- Internet connectivity and VPN deployments
- The lack of cyber security skills and general awareness with nuclear sites
In autumn 2015 we learned that multiple hacks on US institutions had been blamed on China, yet it was also announced that China is investing £24bn in UK nuclear infrastructure. Should the UK be concerned about its Critical National Infrastructure program and what can nuclear facilities learn from the private sector?
The Chatham House report highlights two areas that could be addressed using technology already deployed in many private sector organisations:
1. Strong Encryption and Key Management
What many organisations are now starting to realise is that breaches are inevitable and they must prepare to be breached! In some cases organisations may have already been breached, but just don’t know about it.
According to the report, nuclear facilities could be breached with “nothing more than a flash drive” and “personnel often lack an understanding of key cyber security procedures”.
What does this tell us? Well, nuclear facilities are potentially easy to breach and the personnel within these facilities may not know they have been breached.
Over the past two years Gemalto have advocated breach acceptance, i.e. accept the breach and prepare for it. In fact, our Breach Level Index tracks global breaches and the impact on data loss.
We believe that the only way to secure a breach is by encrypting the data and storing the keys in a vault away from the encrypted data. This could be data stored on file servers within the plant or data travelling over fibre between plants. This approach is already widely adopted by many highly regulated organisations in banking, public sector, manufacturing etc….
2. Multi-Factor Authentication
The report makes claim that a number of nuclear facilities now have VPN (virtual private networks) connections installed and also the increasing use of commercial “off-the-shelf” software.
It’s widely accepted that connecting to a VPN with a standard username and password is not secure due to the risk of compromised credentials. In fact, in some highly regulated industries it is mandated to use multi-factor authentication when connecting to a VPN.
By using technology like SafeNet Authentication Service bolsters the security of remote connections. The same technology can also be used to secure commercial “off-the-shelf” software whether it’s on premise or even in the cloud.
In conclusion, it would appear that the state of cyber security in US and UK nuclear facilities is alarming. However, we believe that adopting private sector best practices when it comes to deploying cyber security controls could mitigate the risk these nuclear facilities face.
Download the Secure the Breach Research Kit to learn how to use authentication, encryption, and key management to prepare for a breach effectively.