In 2010, a cyberattack was launched against the Iranian nuclear program. Stuxnet — a malicious computer worm that is part of a family of worms often referred to as malware —invaded the nuclear power plant through its control system, allowing adversarial control and operation of its industrial facilities. In this case, the worm attacked four different vulnerabilities within the program’s network of control systems and essentially took over. Stuxnet was designed to destroy itself two years after it was introduced.
The Stuxnet incident is emblematic of the cyber risk looming over many industrial facilities. It has the potential to not only cause damage, but cripple major infrastructure that an industrial base relies on. For electrical contractors, it should raise concern. Much of ECs’ work in and around electrical infrastructure and industrial facilities is fertile ground for cyberattacks. Enterprises continue to struggle to find security protections to prevent such attacks. Some have taken mitigating action. Many have not.
The Industrial Target According to Joseph Campbell, an industrial cyber threat is very real. “Public works facilities and infrastructure continue to be targets from external and internal threats,” Campbell said. “Their information technology [IT], often involving use of supervisory control data acquisition systems and industrial control systems [ICS] — which might have been mechanical processes at one time, but are now more frequently controlled through information technology — are on the radar of actors engaged in online penetration and disruption, the results of which can potentially cause damage to the facility and possibly the surrounding environment.”
In the case of Stuxnet, the malware gave directions to the Natanz Plant’s programmable logic controllers (PLC), that caused damage to the uranium-enriching centrifuges.
“The PLCs are small computers that control the ICS and compromise to those systems can potentially lead to significant damage of equipment and functions at an industrial entity,” he said. “It is believed the malware was injected into the Natanz system by someone plugging a USB stick into a computer. This is one means of infecting a system with malware, but IT systems can be infected and disrupted remotely also through actions such as spear phishing and distributed denial of service attacks or simply obtaining a user’s password or other access credentials.”
Looking to penetrate ICS can be motivated by nation-state objectives — a way of getting through to nations or countries with ulterior objectives. These may be political objectives, or a desire to simply penetrate a system and cause damage just because they can.
“When I was assigned to the Weapons of Mass Destruction Directorate at the FBI, we were very focused on the threat of both human and cyber adversarial penetration of these facilities, many of which house sensitive data and hazardous materials, such as at chemical and nuclear power plants, and with those facilities conducting specialized work for the U.S. government, or providing essential public services such as water treatment,” Campbell said. “We worked with interagency partners and facility personnel to develop and rehearse plans to prevent such an attack, and also developed and rehearsed plans to respond if there was some sort of breach. Cyber penetration, whether from an external or internal source, accidental or intentional, is a threat public works facilities and infrastructure must continue to guard against around the clock, as they work with each other and governmental authorities to share threat information and coordinate on response capabilities.”
Cyber penetration, whether from an external or internal source, accidental or intentional, is a threat public works facilities and infrastructure must continue to guard against around the clock, as they work with each other and governmental authorities to share threat information and coordinate on response capabilities.
Joseph Campbell, director, Global Investigations and Compliance practice