Ethnography as a Theoretical Framework

POTENTIAL ATTACK SCENARIOS AGAINST SYSTEMS IN NUCLEAR FACILITIES

I–1. This annex provides some examples of ways in which adversaries could exploit vulnerabilities in systems performing critical facility functions. However, these are only examples, and operators need to think creatively about computer security to imagine how adversaries might act and how computer security measures might counter their actions.

I–2. The examples are derived from discussions with experts from Member States. They are not intended to provide an exhaustive list of possibilities or a recipe for attacking nuclear facilities, but rather a starting point for facility operators and Member States to develop plans to address the dynamic, rapidly changing cyber threat environment.

I–3. A coordinated cyber‑attack might consist of several phases:

(a) Identifying a target or targets;

(b) Performing reconnaissance;

(c) Obtaining access to or otherwise compromising relevant systems;

(d) Carrying out the attack;

(e) Concealing evidence about the attack and the adversary.

I–4. Adversaries will use some or all of these tactics, and they need to be considered when developing cyber threat profiles specific to nuclear facility instrumentation and control (I&C) systems and other sensitive digital assets (SDAs). The example scenarios presented in this annex include the use of these tactics and illustrate common types of attack suggested by computer security experts with experience of the nuclear industry.

I–5. Types of threat are described in Ref. [I–1].

SCENARIO I: COMPROMISE OF A SUPPORT LEADING TO ACCESS TO CRITICAL OPERATIONAL SYSTEMS

I–6. Goal of the attack: To gain access to nuclear information and digital assets by exploiting a trusted path used by vendors to provide support.

I–7. Description: The attack is initially directed at the Internet based remote access portal through which vendors have access to sensitive information and facility SDAs to provide support. The adversary compromises the portal and, via privilege escalation, gains administrative control over the database and changes the email address associated with a specific vendor. This vendor has remote access to critical operational information about the facility and some of the SDAs.

The adversary uses the ‘forgotten password’ function on the portal, which sends a password refresh link to the email address introduced by the adversary. The adversary uses this link to change the vendor’s password and logs in to the portal with the identity of the authorized vendor. Once logged in, the adversary has access to all the information on the portal and all the SDAs to which the vendor has access. The adversary then begins to modify the settings and operational parameters of SDAs, leading to operational instability and ultimately to the shutdown of the facility.

SCENARIO II: EXPLOITATION OF THE TRANSITIVE TRUST

BETWEEN REPORTING SERVERS ON THE PERIMETER NETWORK AND INTERNAL SDAs

I–8. Goal of the attack: To gain access to internal SDAs and systems.

I–9. Description:

(1) Using open source tools and search engines, the adversary locates the perimeter network¹ server used to report production information related to nuclear isotopes from trusted internal systems to the Internet. This server resides on the perimeter network but is populated by a master database server on the same network as the control system for a facility that produces nuclear isotopes. The master database server collects information from the internal manufacturing production environment and sends this information to the database located on the perimeter network. The perimeter network is separated from the production network by a firewall, which is configured with an access control list to ensure that only the database on the perimeter network server can communicate to the master database.

(2) The adversary exploits a vulnerability to obtain administrative access to the server on the perimeter network and takes control of the communication

1 Such networks are used as ‘buffers’ between trusted internal systems and publicly accessible systems that are not trusted, such as the Internet. They are sometimes referred to as

‘demilitarized zones’.

channel between that server and the master database server on the control system network. The firewall is configured to allow communications between the perimeter network and the master database (i.e. it establishes

‘transitive trust’ between the networks), so the adversary, who has control of the server on the perimeter network, can connect directly to the master database on the control system network.

(3) The adversary uses the connection to the master database to perform reconnaissance and enumeration of the control system assets that are on the same network. Since there are no security measures on the control system network, the adversary is able to take control of SDAs and compromise the technology controlling isotope development, management, transport, storage and inventory.

SCENARIO III: MALWARE INFECTION OF NUCLEAR POWER PLANT INSTRUMENTATION AND CONTROL SYSTEMS I–10. Goal of the attack: To force the shutdown of a nuclear power plant.

I–11. Description:

(1) An engineer at a nuclear power plant works at home on a laptop computer that is used to support plant engineering and optimization, update performance programmes and ‘tune’ software for safety monitoring.

(2) While at home, the engineer uses the computer to access a vendor’s web site and obtain a software update for the plant I&C systems that are instrumental in supporting plant operations. While the update is downloading, the engineer uses an on‑line bank, visits the corporate web site and uses social media, during which malicious software is downloaded to the computer.

This malware is new and is not detected by the antivirus software on the computer.

(3) Since corporate policy prohibits taking the computer into the plant, the engineer copies the downloaded control system update to a USB storage device, intending to use this to apply the software updates to the I&C assets.

However, the malware has also copied itself to the USB device, and when the engineer uses it to install the update through an engineering workstation in the plant, the malware copies itself onto the plant system. The plant operator has assumed that the physical protection measures in place will prevent an unauthorized computer from connecting to the plant control system network, and the possibility of infection via removable media has not been considered.

(4) After the malware infects the engineering workstation, it replicates and moves to other networked components within the plant. Since the operator has not deployed computer security measures at the plant level and there is no antivirus software on critical plant systems, the malware infects critical digital assets on the network, causing failures and forcing the plant to shut down.

SCENARIO IV: OBTAINING OF SENSITIVE INFORMATION ABOUT NUCLEAR PLANT OPERATIONS DIRECTLY FROM INAPPROPRIATELY DECOMMISSIONED EQUIPMENT

I–12. Goal of the attack: To obtain enough information to plan an accurate attack on plant operations.

I–13. Description:

(1) An adversary collects information from social media and observation indicating that a nuclear facility will be procuring a control system in the form of a system upgrade. In addition, the facility operator intends to sell old operational equipment to help pay for the new control system.

(2) Since the facility has no formal decommissioning procedure related to information security, a system that was used to run critical I&C operations is sold without reviewing or removing information stored in it. The adversary buys the system and discovers up to date project files, network diagrams, username and password information, and other data that provide a comprehensive understanding of the nuclear facility operations.

(3) The adversary uses this information to develop a plan to attack specific SDAs used at the facility and to create convincing emails for use in a phishing campaign. Ultimately, the adversary uses both the information obtained from the purchased system and that unwittingly provided by victims of the phishing campaign to launch a blended attack on the facility.

SCENARIO V: STRATEGIC SOCIAL ENGINEERING ON THE FACILITY SECURITY OFFICER

I–14. Goal of the attack: To obtain, through social engineering, information from a facility security officer that can be used to further an attack.

I–15. Description:

(1) An adversary conducts a focused social engineering campaign against a facility security officer using phishing, physical reconnaissance and publicly available information, including that from the officer’s social media presence.

(2) The adversary, with a false identity, uses this information to begin communicating directly with the security officer, who gradually comes to trust the adversary, believing that it is someone else. As the correspondence continues, the adversary starts to add credible email attachments that are actually malicious software that, when activated, covertly opens a communication path back to the adversary’s computer and sends specific files from the security officer’s computer to the adversary. With this information, the adversary is able to create accurate and detailed plans to attack the plant’s physical protection systems and intercept nuclear material in transit.

REFERENCE TO ANNEX I

[I–1] INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Security for Nuclear Security, IAEA Nuclear Security Series No. 42‑G, IAEA, Vienna (2021).