A hacking campaign aimed at nuclear power plants could have compromised sensitive information but not safety systems, U.S. regulators told Sen. Ed Markey (D-Mass.) this month.
"Our current cyber framework provides adequate protection of U.S. nuclear reactors and the public," the Nuclear Regulatory Commission told Markey in a letter dated Aug. 9.
Markey had requested information about reports that "foreign hackers compromised the cybersecurity of U.S. nuclear power plant operators." E&E News first disclosed the series of intrusions in late June (Energywire, June 27).
NRC verified that "advanced persistent threat actors have targeted the business networks of multiple power reactor licensees" but emphasized that the impact of the attacks was "limited to the business network and did not impact any safety, security or emergency preparedness function."
However, the regulator acknowledged that potentially sensitive business information, such as data on nuclear personnel, could have been accessed by the hackers.
The letter to Markey did not disclose how many facilities were hit in the cyber campaign, which dates back to at least this spring. The intrusions were first uncovered by some of the hackers’ targets, NRC said, with additional intelligence coming from "both U.S. and international partners."
The malicious campaign consisted of both phishing emails to lure utility employees into clicking on hijacked links and a "watering hole" technique that infected websites likely to be visited by unsuspecting targets, according to multiple sources and documents.
The text of the phishing email sent to multiple energy firms, including a South Dakota-based energy company, purported to come from "Jon Patrick," a "multi-skilled controls engineer" claiming to have experience in the specialized fields of supervisory control and data acquisition control systems and programmable logic controllers. Both SCADA systems and PLCs are often used in nuclear power systems.
Once the hackers stole login credentials via such a malicious email, they attempted to map out victims’ networks to gather technical details about the infected system. That enabled the actors "to traverse the victims’ networks more effectively," according to a recent unclassified intelligence document from the Department of Homeland Security.
The senator also requested information on the hacking threat from DHS, which is the go-to agency for nuclear power companies seeking cybersecurity assistance or intelligence. DHS declined to provide a copy of its response.
The Department of Defense, FBI and Department of Energy also declined to provide copies of their responses to Markey. A spokeswoman had no immediate comment.
The NRC’s letter to Markey offers rare insight into an ongoing cyberthreat whose details have largely been confined to classified settings (Energywire, June 29). E&E News requested the document in a Freedom of Information Act request, but the regulator first released it on its public website yesterday, in keeping with agency protocol with congressional correspondence. FOIA requests to the other agencies have not yet received responses.
The NRC described an interagency cybersecurity communication and oversight strategy that, for now, doesn’t need tweaking from Congress.
"From the NRC’s perspective, adequate actions are being taken, based on our understanding of the threat assessment," the agency said. The NRC cited its yearslong rollout and enforcement of a 2009 cybersecurity rule full of technical requirements for nuclear power plant operators.
"Since the NRC issued its cyber notification rule in 2015, the staff has not been notified that any of the NRC-regulated safety, security, or emergency preparedness functions at the operating nuclear plants have been penetrated by a cyber attack," the regulator said, noting that such systems must be strictly separated from the business networks that recently came into hackers’ crosshairs.
The NRC also told Markey that it had "adequate funding to implement its cybersecurity responsibilities."
Mark Bristow, a DHS official familiar with the nuclear intrusions, said in an interview last month that the agency is treating its investigation of the case seriously, even if operational networks were never affected. "We have to take it seriously from the beginning to ensure that public safety impact won’t — or can’t — be realized."