Cyber Security: Not a Priority in Nuclear Power Plant Facilities

October is National Cyber Security Awareness Month. In our past articles, we’ve mentioned cyber security vulnerabilities ranging from both small to large businesses, healthcare organizations, and more. Recently, a report was published by the International Policy Institute, Chatham House, on cyber security in nuclear power plants.

The fifty-plus page report was released this past September and detailed numerous shortcomings found in worldwide nuclear power facilities, including the United States. The report was extremely critical of vulnerabilities found in these facilities. Many of these infrastructures are ‘insecure by design’, because of their age and are not as well prepared as they may believe. In fact, many of these infrastructures were built before cyber attacks were even considered.

Recent high profile cyber attacks have brought to light these cyber security vulnerabilities in nuclear facilities. Couple that with the present rising number of crimes perpetrated by cyber criminals and terrorist groups and the very real fear of releasing radiation, you have a real cause for concern.

The report states that their focus is on when a plant’s control systems are “disrupted or even captured and harnessed by saboteurs acting either inside or outside the facilities where these systems are located.”

The range of threats could vary from stealing confidential corporate data for financial profit or stealing operational information to be used in an attack at a later time. Considering a plant’s industrial control system, the report states,
“A cyber attack that took one or more nuclear facilities offline could, in a very short time, remove a significant base component to the grid, causing instability.”
However, the worst case scenario according to Chatham is an attack on a nuclear plant’s backup power system could cause a release of ionizing radiation.

Chatham studied nuclear power plants worldwide over an 18 month time period. They found several factors for these vulnerabilities and we have narrowed down the following four industry-wide cyber security challenges.

1. Employees and Human Nature: In general, poor IT practices and the very human nature of finding shortcuts at work can contribute to security breaches. For example, employees may want to charge their smartphones by directly charging them in a control computer but if these devices lack antivirus software, systems are particularly vulnerable.

One source goes on to describe how in some US nuclear power plants, engineers will bring in their personal computers into work, plugging them directly into the computer interface of the PLC (Programmable logic controller). If the engineer’s personal computer is infected with malware, it can and will affect the PLC in the process.

2. Passwords: Default passwords are commonly found at plant facilities, according to Chatham’s report.

“The failure to change default passwords is another challenge at nuclear facilities. In some instances, nuclear facilities fail to take basic ‘good IT hygiene’ security measures, such as changing the factory default passwords on equipment.”

It’s incredible how such a simple safety measure is being overlooked. This is part of a bigger problem, which leads us to our next item.

3. Culture of denial: One source explained that there is a ‘culture of denial; found in many nuclear facility personnel,

“It remains a movie scenario, maybe in the future. They think it is just states against states, not everybody wants to hack us, and also it won’t happen here.” Although many personnel feel it’s unlikely, cyber attacks need to be considered as a real threat. Harmful radiation would have everlasting effects.

Chatham found that cyber security training lacks a cohesiveness in drills between regular plant personnel and the IT security personnel. Training includes focusing on more reactive than proactive solutions, so in many cases, cyber attacks are occurring before an employee is aware of it.

4. Air gaps myth: An air gap is a network security measure, employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. Many in the industry believe that ‘air gaps’ will keep them safe from cyber attacks but in reality, all nuclear plants are not ‘air gapped.’

The issues is that employees want those ‘commercial benefits’ that the Internet can offer, and don’t consider that they are connected to the internet.

“A number of nuclear facilities now have VPN connections installed, which facility operators are sometimes unaware of,” the report says. VPNs can be used to introduce malware onto the industrial control network.
Something as tiny and simple as a flash drive is all it takes to gain access into a plant’s system, personal computers are used frequently enough and because they can be directly connected to a plant’s control system, it is by no means a guarantee.

Chatham concludes that “plants must develop guidelines to measure cyber security risk in the nuclear industry, including an integrated risk assessment that takes both security and safety measures into account as well as fostering partnerships between vendors and cyber security companies to enable the development of more robust cyber security products.” Getting a handle on practicing ‘good IT hygiene’ as we mentioned earlier is also an element that needs to be addressed at all of these facilities.

Axiom’s solutions come in different sizes and all Axiom solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, give us a call us at (800) 519-5070.

October is Cyber Security Awareness Month

2015 has been the year of cyber crime, data breaches, and cyber attacks. We live in a world where we are all unified with our smartphones, tablets, and laptops. Although this constant connection has changed many people’s lives in many ways for the better, it also poses a huge risk for a company’s data such as financial information and health records.

As we have learned from the Office of Personnel Management to Home Depot , no organization is immune to these breaches. All it takes is one click for an organization to become compromised and lose their data and their customers data. These breaches can be incredibly costly to these organizations, whether it’s due from the downtime a website experiences or the potential fines that the Federal Trade Commission (FTC) may impose. Cyber security is so vital, it even has its own month dedicated to it.

October is National Cyber Security Awareness Month. This October marks the 14th year since its inception by President Obama in 2004.  National Cyber Security Awareness Month (NCSAM) encourages vigilance and protection by all computer users, promoting cyber security as “our shared responsibility.”

President Obama stated in his Executive Order on Promoting Private Sector Cybersecurity Information Sharing Proclamation,

“Cyber threats pose one of the gravest national security dangers the United States faces.  They jeopardize our country’s critical infrastructure, endanger our individual liberties, and threaten every American’s way of life.  When our Nation’s intellectual property is stolen, it harms our economy, and when a victim experiences online theft, fraud, or abuse, it puts all of us at risk.  During National Cybersecurity Awareness Month, we continue our work to make our cyberspace more secure, and we redouble our efforts to bring attention to the role we can each play.” 

The month long awareness program is sponsored by the National Cyber Security Division (NCSD), which is part of the Department of Homeland Security and the non profit organization, the National Cyber Security Alliance (NCSA).  NCSAM’s mission is to engage and educate the public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.

Axiom Cyber Solutions would like to share the following cyber security tips from the Department of Homeland Security. These tips can help keep your personal information and assets safe online.

  1. Set strong passwords and don’t share them with anyone.
  1. Keep your operating system, browser, and other critical software optimized by installing updates.
  1. Maintain an open dialogue with your family, friends, and community about Internet safety.
  1. Limit the amount of personal information you post online and use privacy settings to avoid sharing information widely.
  1. Be cautious about what you receive or read online – if it sounds too good to be true, it probably is.

If you are interested in seeing what National Cyber Security Awareness Month activities are near you, please visit: https://www.staysafeonline.org/ncsam/events.

If you or your organization needs further help on security, please contact Axiom Cyber Solutions at 800-519-5070

Why SMBs Should Pay More Attention to Their Cyber Security

Many small and medium-sized businesses (SMBs) assume that they are immune to cyber attacks and cyber crimes because they are not necessarily high profile targets. In recent headlines, big corporations such as Target, Sony, and JPMorgan Chase are experiencing very serious data breaches and losing large amounts of money due to cyber crimes and data breaches.

Although you often see these big corporations plastered in the news when they experience cyber attacks, smaller organizations do not attract as much attention in the media. That, however, does not mean that they are not victimized. In fact, 60% of all targeted attacks struck small and medium-sized businesses, according to Symantec’s 2015 Internet Security Threat Report.

According to the National Cyber Security Alliance, one in five small businesses experience a cybercrime each year and 60% of those small businesses go out of business within 6 months after a cyber attack.

Experts agree that smaller businesses are much more vulnerable and attractive to cyber criminals because they are often less secure. Also, thanks to automation, these cyber criminals have the ability to mass produce attacks.

Greg Shannon, chief scientist at the CERT Division of the Software Engineering Institute at Carnegie Mellon, states that size is “somewhat of a red herring. It’s more about scale.” But, he adds that, “small business is a huge target because attacks are automated. The criminals don’t care who they’re attacking, and while any given business isn’t worth much, they have viruses or ransomware that allow them to attack thousands or millions.”

These automated attacks are especially damaging for SMBs because many of these small business owners don’t believe they will be hacked when up against the thousands of other businesses out there. Today, hackers aren’t wasting their time to pick and choose what businesses they want to attack, it’s all taken care of with automation.

One of the most common issues that affect the quality of security in SMBs is budgetary constraints. Since many of these businesses do not have a dedicated IT team, business owners are handling their own cybersecurity matters. They may be struggling to keep their businesses profitable and do not see an immediate need to expend resources on cyber-security, especially if they do not rely on online applications. This ideology has to change as the volume and scale of cyber attacks grow exponentially.

We at Axiom Cyber Solutions understand these concerns and want to encourage businesses of all sizes, but especially smaller organizations, that the need for proper cyber security should be on the forefront of your strategic vision.#FightBackWithAxiom

Attention Healthcare Organizations: Get Ready For Some Serious Cyber Security

Attention Healthcare Organizations: Get Ready For Some Serious Cyber Security

2015 has been inundated with cyber-attacks against the healthcare industry. In recent headlines, Excellus Blue Cross Blue Shield stated that approximately 10 million of its customers had their healthcare records compromised.

Not only did critical information such as names, Social Security numbers, addresses, and birthdays get leaked but financial data such as credit card information was also compromised. Additionally, this puts their customers at risk for fraud and identity theft.

Criminal cyber-attacks are rising amongst the healthcare community and despite strict HIPPA guidelines and regulations, many hospitals and healthcare providers are grappling with keeping their patients’ data safe.

Cyber-attacks and data breaches cost the U.S. healthcare system approximately $6 billion annually, according to security research firm, The Ponemon Institute.
KPMG polled over 200 healthcare providers and found that four out of five providers had been hacked.

44% of healthcare organizations have been attacked 1-50 times while 38% have been attacked between 50-350 times in the last year. 13% were attacked more than 350 times.

It doesn’t take a stretch of the imagination to realize just how many additional attacks are left undetected and unreported such as the case with Excellus, wherein hackers first accessed patient records in December of 2013 but weren’t discovered until August of 2015. This gave the attackers nearly two years of running data collection. In the same study, KPMG also found that only 53% of healthcare providers are ready to defend against a cyber-attack.

They listed five issues that healthcare organizations are facing.

1. The adoption of digital patient records and the automation of clinical systems.

2. The use of antiquated electronic medical records (EMRs) and clinical applications that are not designed to securely operate in today’s networked environment — and software vendors who push that problem to the provider.

3. The ease of distributing electronic personal health information both internally (via laptops, mobile devices, thumb drives) and externally (third party firms and cloud services).

4. The heterogeneous nature of networked systems and applications (i.e. network-enabled respirator pumps on the same network as registration systems that can browse the Internet).

5. The evolving threat landscape, where cyberattacks today are more sophisticated and well-funded, given the increased value of the compromised data on the black market.

“Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for executives is to advance their institution’s protection to create hurdles for hackers”, according to Michael Ebert of KPMG’s Healthcare & Life Sciences Cyber Practice.

These data breaches and security vulnerabilities cannot and should not be underestimated and there severity and frequency is a cause for concern. Healthcare providers must make cyber security a priority. No longer is this an issue that companies can ignore.

Protecting patient data is critical and the healthcare industry must start preparing and implementing a strategy to prevent these hacks before the U.S. Government begins to levy heavy penalties and fines on those who do not step-up to today’s threats.