Critical infrastructure

Cyber-attacks Against Nuclear Plants: A Disconcerting Threat

Pierluigi Paganini
October 14, 2016 by
Pierluigi Paganini


A cyber-attack against critical infrastructure could cause the paralysis of critical operations with serious consequences for a country and its population.

In a worst case scenario, a cyber-attack could affect processes that in case of fault could cause serious damages and consequent losses of human lives.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Let's think for example to a refinery or a nuclear plant, in both cases; a cyber-attack represents a threat to the infrastructure, its processes, and people that work within.

Nuclear plants are critical components of any countries; critical functions depend on their operations, and an incident could have dramatic effects on the population.

Is a cyber-attack against a nuclear plant a possible event?

Unfortunately, the response is affirmative. Nuclear plants are composed of an impressive number of components such as SCADA/ICS, sensors and legacy systems that could be hit by a hacker.

The most popular case of a cyber-attack against a nuclear plant is Stuxnet, which was launched more than five years ago.

Stuxnet is the malware developed by experts from the US and Israel with the intent of destroying the Iranian nuclear program. Nation state hackers hit the plant of Natanz in Iran in 2010 interfering with the nuclear program of the Government of Teheran.

The Stuxnet targeted a grid of 984 converters, the same industrial equipment that international inspectors found out of order when visited the Natanz enrichment facility in late 2009.

"The cyber-attack against the Cascade Protection System infects Siemens S7-417 controllers with a matching configuration. The S7-417 is a top-of-the-line industrial controller for big automation tasks. In Natanz, it is used to control the valves and pressure sensors of up to six cascades (or 984 centrifuges) that share common feed, product, and tails stations" states "Technical Analysis of What Stuxnet's Creators Tried to Achieve" written by the expert Ralph Langner.

Stuxnet was designed with a number of features that allowed to evade detection; its source code was digitally signed, and the malware uses a man-in-the-middle attack to fool the operators into thinking everything is normal.

Stuxnet is the demonstration that it is possible to use a malicious code to destroy operations at a nuclear plant.

In the last years, security experts and authorities confirmed at least three cases of cyber-attacks against Nuclear plants.

Who are the threat actors that could hit a nuclear plant?

There are many actors, such as cyber criminals, hacktivists, nation-state actors, cyber terrorists and script kiddies, that are threatening critical infrastructure worldwide

Let's see which are the principal incidents that affected nuclear plants in the last years.

The incidents

According to the Director of the International Atomic Energy Agency (IAEA), Yukiya Amano, a nuclear power plant in Germany suffered a "disruptive" cyber-attack two to three years ago.

Amano expressed his concerns about cyber-attacks on nuclear plants explaining that they are a serious threat. The EAEA Director did not provide further details of either incident.

"This issue of cyber-attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it's the tip of the iceberg." Amano told Reuters Agency.

"This is not an imaginary risk," added Amano, who also participated in a meeting with Foreign Minister Frank-Walter Steinmeier.

Fortunately, the damages caused by the cyber-attack on the German nuclear plant did not force the operators to shut down its processes, but it urged the adoption of additional precautionary measures.

"This actually happened, and it caused some problems," he said. "[the German plant] needed to take some precautionary measures."

Amano added the news of the attack on the German plant was not discussed in public before, he also reported a case in which an individual tried to smuggle a small amount of highly enriched uranium with the intent to build a so-called "dirty bomb."

As reported by the Reuters Agency, the cyber-attack was disruptive, not destructive. The two terms could appear similar to non-experts, but there is a substantial difference. The term disruptive refers a category cyber-attacks that can destroy internal computer systems without causing the complete destruction of the plant. Examples of disruptive attacks are the attacks against Sony Pictures Entertainment and Stuxnet.

This isn't the first time that we receive the news of cyber-attacks on nuclear plants. There are three publicly known attacks against nuclear plants:

It is likely that Amano was referring the cyber-attack against the Gundremmingen nuclear plant that occurred earlier this year. Security experts, in that case, discovered the presence of the Conficker and Ramnit malware in the target systems.

2014 - Malware based attack hit Japanese Monju Nuclear Power Plant

On January, 2nd 2014 one of the eight computers in the control room at Monju Nuclear Power Plant in Tsuruga, Japan, was compromised by a cyber-attack. The local IT staff discovered that the system in the reactor control room had been accessed over 30 times in a few days. The experts observed the intrusion started after an employee updated a free video playback application running on one of the computers in the plant.

According to sources close to the internal staff, more than 42,000 e-mails and staff training reports were available on the compromised system at the nuclear power plant.

Security experts that investigated the incident discovered the presence of malware that was likely introduced through a software update on the compromised machine. The malware allowed the attacker to exfiltrate information; further investigation allowed the expert to discover that the information was sent a Command & Control server located in South Korea.

According to Japan Today, the Monju nuclear power plant was not the target of a surgical attack. Instead, it was accidentally infected by malware.

Monju Nuclear Plant is a sodium-cooled fast reactor; it started its operations in April 1994. It has not been operational for most of the past 20 years due to a severe fire caused by a sodium leak.

Figure 1 - Monju Nuclear Power Plant

In November 2014, the Japanese Nuclear Regulation Authority informed the Japan Atomic Energy Agency that anti-terrorism measures adopted at the Monju Nuclear Power Plant were not adequate.  According to the Regulation Authority, the Japan Atomic Energy Agency violated the basic security guidelines and did not adopt best practices to ensure the protection of nuclear materials from terrorists and other attacks, including hacking attacks.

Cyber-attacks against the organizations operating in the Energy industry were already observed in the past, in 2012 the Japan Atomic Energy Agency was targeted by a cyber-attack that compromised a computer at the JAEA headquarters at Tokaimura by infecting it with malware.

2014 - Nuclear plant in South Korea hacked

In December 2014, the South Koran government revealed that a nuclear plant in the country was hacked. The Korea Hydro and Nuclear Power Co Ltd (KHNP) who operates the nuclear power plant confirmed the incident and reported that hackers did not steal critical data. Government officials immediately averted the danger for the population and explained that there was no risk to nuclear installations in across the country.

Different is the opinion of some security experts that speculated about a possible exposure to cyber-attacks of the systems in the nuclear plants of the South Korea.

"This demonstrated that, if anyone is intent with malice to infiltrate the system, it would be impossible to say with confidence that such an effort would be blocked completely," said Suh Kune-yull of Seoul National University. "And a compromise of nuclear reactors' safety pretty clearly means there is a gaping hole in national security,"

The Reuters Agency reported that the South Korea's energy ministry was confident that nuclear plants in the country were properly protected "any infiltration by cyber attackers that could compromise the safety of the reactors."

"It's our judgment that the control system itself is designed in such a way and there is no risk whatsoever," Chung Yang-ho, deputy energy minister, told Reuters by phone.

At the time of the attack, the Government of Seoul declined to provide any information on possible responsible, but security experts believe that the North Korea was behind the intrusion.

A man claimed responsibility for the attack via Twitter explaining to be a member of an anti-nuclear group based in the Hawaii.

The individual also announced the shutdown of three aging nuclear reactors confirming the theft of sensitive documents in the attack.

He asked for money in exchange of the leaked data. Fortunately nothing happened in the following days.

An official at the country's nuclear plant operator KHNP, which is part of state-run Korea Electric Power Corp, told Reuters that the cyber-attack war run by "elements who want to cause social unrest."

"It is 100 percent impossible that a hacker can stop nuclear power plants by attacking them because the control monitoring system is totally independent and closed," the official said.

In March 2015, the South Korea's government publicly accused Pyongyang of the attack. The Government described the attacks as a provocation that threatened people's lives and safety.

"We condemn North Korea's persistent cyber-terror targeting our country and the international community," the unification ministry said after the conclusion of the investigation.

"It's a clear provocation against our security," the ministry said in a statement, accusing Pyongyang of "taking the life and safety of our people as a hostage."

The experts who investigated the incident confirmed that hackers intended to cause a malfunction at atomic reactors, but were not able to compromise their control system.

The experts added that the malware used to infect the systems was very similar to those which are usually used by North Korean hackers.

"We've reached the conclusion that the crime was committed by a group of North Korean hackers seeking to stir up social unrest and agitation in our country," the investigators said in a statement.

According to the investigators, the hackers launched a spear-phishing campaign against 3,570 former and current KHNP workers. They used multiple IP addresses based in China to send some 6,000 "phishing."

2016 – A malware infected systems at the Gundremmingen nuclear plant in Germany

In April 2016, the German BR24 News Agency reported the news of a computer virus that was discovered at the Gundremmingen nuclear power plant in Germany.

Based on the initial investigation conducted by the experts, the virus didn't affect any critical parts of the power plant. The experts that worked on the case revealed that the malware that infected the systems at the power plant was not specifically designed for sabotage purposes, unlike the notorious Stuxnet.

"After the discovery of malicious software on a computer in Gundremmingen emphasizes the operator, the control of sensitive areas was not affected. A computerized expert hand warns of belittling: viruses could jeopardize the data security of the NPP." states a post published by BR24.

The German utility RWE that runs the facility has confirmed that the plant was cut off from the Internet and that the malware infection did not harm operations.

"All sensitive plant areas are decoupled and designed with redundancy and protected against manipulation," reads a statement issued by the RWE.

The experts involved in the investigation discovered the presence of the Conficker and W32.Ramnit malware in unit B of the Gundremmingen. Conficker is worm with the ability of rapidly spreading through networks, while W32.Ramnit is a data stealer.

The RWE also added that malware had been found on 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant's operating systems.

Mikko Hypponen, CRO at F-Secure, confirmed to the Reuters that it is very common malware infecting critical infrastructure, but in the vast majority of the case, the infection has no consequences because the thread was not specifically designed to hit the target.

Figure 2 - Gundremmingen nuclear power plant

It is not clear how the malware reached the systems in the plant; it is likely that it has been carried on the network at the Gundremmingen plant on a USB by an employee that used it on his office computer.

IT expert Thomas Wolf commented on the incident, saying that malware threats exist even in systems that are isolated from the Internet and that any process where data is exchanged can be an effective source of virus contagion. Wolf highlighted that such kind of threat is difficult to contain, the virus could easily spread even in environments that have a "comprehensive virus protection and sophisticated security management."

The virus that was spotted at the Gundremmingen nuclear plant infected the system used for the transportation of used reactor fuel to the warehouse.

"Systems that control the nuclear process are analog thus isolated from cyber threats. These systems are designed with security features that protect them against manipulation." Said Tobias Schmidt, spokesman for the Gundremmingen nuclear plant.


Cyber-attacks against nuclear power plants and industrial control systems are probably at the top of a long list of potential disasters that can be caused by hackers.

Stuxnet, which targeted nuclear power plants in Iran, is still the most widely publicized threat against such systems.

Security experts are aware of the possibility that hackers could cause serious problems to these critical infrastructures worldwide, for this reason, several governments already launched internal assessments of their infrastructure.

This summer, the European Parliament has passed the new network and information security (NIS) directive that establishes minimum requirements for cyber-security on critical infrastructure operators.

The NIS directive has a significant impact on all the businesses that supply essential services and operate critical infrastructures in different industries, including energy, transport, banking, health or digital services. Those companies are required to be compliant with minimum standards of cyber-security.

Unfortunately, the overall process of security critical infrastructures needs a significant effort of multiple players and a strong commitment of central authorities.

According to Amano, the UN IAEA Agency is supporting countries to improve the resilience of their infrastructure to cyber-attacks with a series of measures.

"Amano said the U.N. agency was helping countries increase cyber and overall nuclear security through training and a detailed database that included information from 131 countries, and by providing them with radiation detection devices." reported the Reuters.

"Since 2010, the IAEA said it had trained over 10,000 people in nuclear security, including police and border guards, and has given countries more than 3,000 mobile phone-sized instruments for detecting nuclear and other radioactive material."

Giving a close look at the current situation of Nuclear plants in the Europe, we cannot avoid mentioning a report released in March that states Germany is not adequately equipped to prevent terrorist attacks in its nuclear plants.

The report was presented by Oda Becker, an independent expert on nuclear plants.

This is extremely distressing, especially in the light of the tragic events in Belgium with substantial casualties.

The report was brought to public attention by the German Federation for the Environment and Nature Conservation (BUND) Congress, where concerns were expressed towards protecting citizens from catastrophic consequences of another terrorist attack.

Security of critical infrastructure is a shared goal that could be achieved with a joint effort of governments, private entities and the population itself. Security awareness, adoption of security best practices, implementation of proper security solutions and sharing of information on incidents are fundamental principles to reach a good compromise between security and cost to sustain to ensure the protection of infrastructures.


Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.