More Cyber: The Korea Hydro and Nuclear Power Company (KHNP) Hacks
We have been following the Sony hack, but Scott Snyder at the Council on Foreign Relations reminded us of another breach that occurred around the same time at the Korea Hydro and Nuclear Power Company (KHNP). The December 2014 attack was purportedly launched by an anti-nuclear group that gained access to some plant computers and released stolen blueprints of South Korea’s nuclear reactors, details on various support systems, and personal data on over 10,000 employees. The hackers demanded that the Korean government close down three nuclear power plants by December 25th and followed with a further series of attacks.
KHNP insists that this was not a major breach and that systems controlling reactor operations are insulated from external tampering. Nevertheless, the incident motivated President Park to order inspections of safeguards at national infrastructure facilities, and statements by KHNP to allay public fears of an outside actor’s capability to wreak havoc on nuclear systems.
In all, this case indeed appears to be what KHNP says it was: a small scale intrusion that resulted in the theft of non-critical data. But any attack on a country’s utilities, transport, or power systems warrants pause because of the growing concern that hackers can exploit the “internet of things” to cause physical destruction.
Attacks of this sort have to date been quite limited, precisely because of the costs. Stuxnet is the most famous recent example of a cyber-attack specifically designed to cause physical damage, in that case by sabotaging centrifuge control systems at Iran’s nuclear plants. Iran may now be itching for payback, with reports surfacing on cyber intrusions targeting the control and safety systems of US oil, gas, and power companies. In two other largely-ignored cases--an explosion on a Turkish pipeline in 2008 and damage to equipment at an unnamed steel plant in Germany--cyberattacks also appeared to have crossed the line of doing physical damage.
It is important to underscore that there is no public claim that we know of that North Korea was involved in the KHNP attacks; we are always on guard against the “appeal to ignorance” fallacy (“there is no evidence against it, so it must be true.”) But it is also the case that attacks undertaken by sovereign governments will not announce themselves as such. Continuing speculation on North Korean involvement in prior attacks in the South and with respect to Sony are more plausible (see our discussion of NSA penetration of North Korean computer network exploitation here). Given North Korean investment in a wide array of cyber capabilities, it is only prudent to be alert to this risk as well: attacks on physical control systems are not your garden variety 17-year-old-in-his-basement hacking episodes.