Shades of the over-hyped and incorrect press frenzy "Israel's Power Grid Under Attack!" from 2015. On April 26, malware was discovered in the RWE Energy Bavarian nuclear power plant and the press went wild.
W32.Ramnit and Conficker were discovered in Block B of the plant during preparation for revisions to 2008 systems (hardware vice software not specified) currently in use. Cybersecurity specialists from RWE are conducting forensics to determine how the virus got into the 2008 systems. The likely source is removable media; malware was also reportedly found on 18 removable data drives, mainly USB sticks. Conficker was originally discovered in the wild in 2008 and W32.Ramnit in 2010, giving an indication of the possible length of the infections.
Gundremmingen officials stated there is no human risk associated with the intrusion. The affected areas were administrative systems segregated from operational areas of the plant. The plant itself, according to the operator, is segregated from the internet. The software discovered in Gundremmingen constantly attempted to create, "unwanted connections to the Internet" which was impossible due to the network segregation.
On April 7, the block B of the nuclear power plant Gundremmingen was taken offline for revision, the event that lead to the malware discovery. Whether the intrusion will affect the scheduled mid-May restart date is unknown. Gundremmingen is scheduled to be taken permanently offline in 2021.
What does it mean to me?
Basic mitigation techniques work! Not only that, the sky did not fall even though a nuclear power plant has suffered a cyber intrusion - hope springs eternal for humanity..
First, a point of clarification: Gundremmingen's description of network segregation is somewhat in contrast to the architecture they reported. The affected systems,categorized as administrative and office, were tied to automatic fuel loading equipment (which would likely be considered operational SCADA/ICS). Still, the fuel loading process typically requires significant human intervention for execution, therefore even a SCADA- intrusion would pose minimal physical danger.
The malware obviously was not a targeted attack, but ordinary malware affecting a target of opportunity and searching for a conduit to reach its command and control node. Network segregation prevented its success.
The malware itself was not designed to manipulate SCADA/ICS, but to enable access to any internet-connected, infected network. It is likely the malware was introduced by human activity that might have included include opening an infected document, clicking on a phishing link, and/or poor removable data hygiene.
Most antivirus programs will detect W32.Ramnit and Conficker. It is unknown if the office systems were scanned.
Security through obscurity does not work. Scan your segregated systems as well as those connected to the internet. Restrict and scan mobile media. Basic mitigation is the foundation of cybersecurity.
Sign up for Computerworld eNewsletters.