The USA and UK are to resume critical infrastructure testing later this year, with simulated cyber-attacks taking place on a nuclear power plant.
Designed to test the readiness of the government and utility firms, US Government sources said the two countries plan to cooperate on exploring the resilience of nuclear infrastructure to a terrorist attack, according to The Guardian.
While the exercise was not triggered by any credible intelligence about the threat of such an attack, the source said that it was about “prudent planning”. In March 2011 and November 2013, the UK financial sector faced stress tests in the Waking Shark exercises.
David Kennerley, senior manager for threat research at Webroot, said: “While financial organizations are prime targets because of the monetary value of the data they hold, it’s great that governments are now realizing that the energy sector is also a high-risk area. These ‘cyber-war games’ will provide nuclear plants the opportunity to evaluate their ability to anticipate an attack and develop the comprehensive cyber-warfare protection they need."
“This simulation is set to be the most sophisticated ever undertaken and will give the industry the checks it needs to test the protection and the processes it has in place. Applying gaming principals to security problems is a great way to improve security knowledge across companies through real engagement. The bottom line is that the more you practice and prepare for an attack, the better you will respond when encountering the real thing.”
In November 2015, Chatham House spoke of how the UK’s nuclear facilities are at risk of a major cyber-attack, due to a lack of awareness among senior executives and an increasing trend towards digitization, according to its report Cyber Security at Civil Nuclear Facilities: Understanding the Risks.
This report pointed to serious deficiencies in the supply chain, meaning equipment at nuclear plants could be compromised at any stage. Also highlighted were an overly reactive approach to cybersecurity, a lack of staff training, and communication breakdowns between engineers and security personnel.
Bryan Campbell, senior security researcher, enterprise and cybersecurity for UK & Ireland at Fujitsu, said: “Recent high-profile ‘incidents’ on critical national infrastructure such as the one against the US Dam, and the Ukraine power facility have highlighted the need to perform operational activities at a heightened level."
“Historic attacks such as Stuxnet and Duqu have demonstrated the potential damage that can be caused to ICS, or Control & Data acquisition systems. A grasp of would-be hacker targets is more a concern in relation to ‘why’ the UK would be a target to nation-state hackers."
“Regular exercises in this area will strengthen the national posture on resilience in the face of an emerging and persistent threat.”