Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

When It Comes to Industrial Cybersecurity, Follow The Data

A cyberattack at India’s largest nuclear power plant reveals the risks of outdated workstations and the need to upgrade industrial security systems.

The postmortem analysis of most cyberattacks often reveals that indicators of compromise were present leading up to the incident, but the dots were not connected early enough. In October of this year, the nuclear reactor complex at India’s Kudankulam Nuclear Power Plant (KNPP) suffered what the government has now termed a cyberattack. Originally it was not characterized as such. To be clear, an attack like this can happen to any organization. KNPP was just the latest victim. When it comes to this type of security breach, it is really quite simple. The data doesn't lie. 

Reported malware infection at KNPP nuclear facility

On October 29, the Nuclear Power Corporation of India released a statement denying reports that one of its power plants had suffered a cyberattack. Officials stated, “any cyberattack on the nuclear power plant control system is not possible.”

The next day, KNPP leadership reversed their position. They issued a second communique revealing that malware was found in the system at the KNPP facility and was traced to an “infected PC that belonged to a user who was connected to the internet for administrative purposes.”

Almost immediately, experts including Pukhraj Singh, a former security analyst for India's National Technical Research Organization (NTRO), took to social media stating that the security incident went deeper than reported by the company.

KNPP tweet from security analyst Pukhraj Singh

In the ensuing three-week period, new data “dots” have been revealed, including the fact that KNPP had issued a tender earlier this year to purchase Windows-based PCs. In the ensuing time period, several of the facility's reactors needed to be shut down due to what was reported as an “SG level low” alarm.

Media reports issued this week attributed the attack to North Korea and to date pundits in the field have been quoted in the press describing the lack of transparency on what actually happened with the cyberattack. 

KNPP is not alone or unique in its response to what has been verified as a cyberattack on a nuclear plant. In many ways, it should be recognized that KNPP was able to respond and avoid any catastrophic failure at the plant. The question is, could they have known about the attack earlier?

More than ever, cyberattacks on critical infrastructure are occurring with frightening regularity. Rogue factions and “unfriendly” governments are taking advantage of the convergence between IT and operationally technology (OT) systems, which has eroded the traditional air gap and compromised industrial networks that often lack the same level of security as their sister IT networks. Once hackers gain access, they can perform reconnaissance and gain “red button” functionality to modify industrial processes in ways that can cause more damage than a traditional missile attack.

Preventing future cyber attacks 

One of the lessons we can learn from the KNPP incident is the need for situational awareness when it comes to securing OT environments, including the ability to maintain a real-time inventory of assets. To complement this visibility, active threat hunting can be achieved through “device integrity” tests or actively querying devices such as programmable logic controllers (PLCs) and distributed control systems (DCSs) in their native language to detect unauthorized changes.

Meanwhile, the introduction of IoT (internet of things) technology in OT environments exposes industrial assets to new risks. Maintaining an up-to-date inventory of deployed assets along with granular detail such as the make, model number and manufacturer, patch levels and configurations can provide deep insight into what devices are operational at any point in time, which need to be updated due to vulnerability disclosures, and which require maintenance or rotation out of the OT environment.

In terms of detecting potential malware, OT should adopt the “onion” approach commonly used in IT security. This requires a multi-threat detection engine that searches for policy violations and also looks for anomalous behavior that is unique and specific to each environment. It also includes the practice of “crowd-sourcing” data on new threats, which can be accomplished by centralizing anonymized intelligence across multiple companies and industries to uncover indicators of emerging attacks and provide participating organizations with “digital inoculation” against them earlier.

A robust and forward-leaning approach to securing critical infrastructure and manufacturing environments requires the same rigor as we have deployed in IT for decades. The combination of constant employee training, deploying the right security with cooperation between IT and OT, and the perpetual examination and reexamination of policies and procedures will help organizations gain the situational awareness needed to identify security threats earlier and protect themselves against industrial cybersecurity risk.

To learn more about securing your critical infrastructure against cyber threats, see our Tenable.ot whitepaper, “Industrial Cybersecurity in the New Era of Distrust.”

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training