In cybersecurity, the worst-case scenario is that malicious hackers might gain access to, or control over, critical infrastructure. In that scenario, criminals or nation state actors might be able to leverage their exploits into a situation where lives are put at risk – in addition to the other severe ramifications. And of course, that worst-case scenario becomes an actual nightmare when we imagine the consequences of a malicious actor gaining access to nuclear power plants or missiles.
While most of us assume – or at least hope – that nuclear power plants are hardened targets that should be protected by the most advanced digital security possible, is that actually the case? In this interview with Charles Hamilton, Principal Security Consultant for Trustwave SpiderLabs, we discuss his experience conducting a penetration testing exercise for a nuclear power plant. For safety reasons, we won’t disclose where and when this exercise was conducted.
Q: Did you actually hack a nuclear power plant?
Charles: Yes, this was part of penetration testing. There are many details that I can’t reveal, for obvious reasons. But I’ve actually tested more than one.
In the test we will talk about today, when I gained access to the plant, posing as a malicious actor, I found out that the management software was actually Windows NT 4.0, far past the time when that would have been appropriate.
The point of the engagement, of course, is to see if an actor can reach the point where they gain control of the reactor. Thankfully, that’s rarely possible because there is a physical barrier between the corporate network and the actual power plant. That’s purposeful, thankfully, and it should do its job of preventing hackers from being able to trigger a meltdown.
You might remember Stuxnet, a worm that was designed to target the nuclear capabilities of Iran. Whomever designed that exploit built it to account for the physical barrier, which is why they created it to spread by USBs, which they knew were being actually plugged into the reactor environment. But that’s the kind of activity that goes above and beyond what a penetration test is designed to discover.
Q: What did you find during your penetration test?
Charles: The first major vulnerability I found was due to contracting work that they had hired out. Sometimes, just like other structures, a nuclear power plant needs to be fixed. In this case, the contractors had set up a WIFI spot which didn’t have a strong level of security. Via that avenue, I was actually able to get into the corporate network quite easily.
The reality is that, when I get in, it was just like any other corporate network, with a bunch of Windows and Linux systems, and in this case they were running Windows NT 4.0 as well. I was able to gain direct access to the network and access to some interesting things, like monitoring tools.
In a related example, I tested wind turbine farm and found that it was set up the same way, with layers of networks where the actual system that was physically controlling the turbines wasn’t reachable remotely – it would have required direct physical access. So that’s something we can all be thankful for.
Q: If you had been a malicious actor, what could you have done with the access you achieved?
Charles: In about one or two hours I had domain level privileged. I could have been able to gain information about how the power plant was performing. If I was involved in spy craft or actual nation state sabotage, I would have been able to see things like pressure rates, etc. In this specific case, the plant was actually shut down at the time, because it was under maintenance. The penetration test was actually part of their efforts to bring it back online, so it was a good thing that they were being proactive and diligent in exposing weaknesses.
Q: Are there key takeaways that organizations should be aware of
Charles: Definitely. Even for companies or organizations that aren’t involved in critical infrastructure, the key learning here is that your corporate network is always going to be one of your most vulnerable points. From an external threat actor perspective, phishing exploits will be constant and ongoing. Always assume that your network is as vulnerable as your external perimeters.
Most of the time when we do penetration tests, we find that external perimeters are actually a little bit more secure, because it’s publicly facing. Organizations tend to harden it a bit more, and unfortunately leave their internal networks a little bit more exposed.
When you think about incidents like SolarWinds, what’s your opinion on how secure the infrastructure grid is in America? The reality is that it’s mainly secure because of security through obscurity. When you look at things like SolarWinds, that exploit required a huge amount of time and a fairly large budget. That’s not really in the realm of possibility of your average hacker, who’s probably out to just make a quick buck.
Download our fact sheet on the SolarWinds vulnerabilities that Trustwave SpiderLabs has discovered. All three vulnerabilities are severe with the most critical one allowing remote code execution with high privileges.