Crash Override: Could a Similar Cyber Weapon be Used Against a Nuclear Facility?

NTI monitors and
assesses global cyberattacks as part of our
work to address the growing and
potentially catastrophic cyber threat to nuclear systems and facilities around
the world. Alexandra Van Dine, program associate with NTI’s Scientific
and Technical Affairs Program, writes about the potential implications of a
troubling new cyberweapon.

 This week started off with a
cyber “bang” with reports of a new and deeply concerning cyberweapon in The Washington
Post, WIRED,
and Reuters.
The weapon—dubbed “Crash Override” by security researchers—is the second of its
kind to directly target physical industrial control systems (ICS). It is
believed to be linked to Russia, though no firm attribution has been made.

The first cyberweapon created to disrupt ICS was Stuxnet,
the virus deployed against Iran’s
Natanz uranium enrichment facility. For more on that attack and its
implications (especially for nuclear security), see this
paper I published on the topic.

Crash Override was first used  (to our knowledge) in December 2016 to attack
Ukrenergo, the Ukrainian electric utility, according to two security research
firms, Dragos
Inc. and ESET
(which refers to the malware as Industroyer). The result was a one-hour outage in
parts of the capital city of Kiev. This consequence may seem relatively innocuous,
but recent work by these security firms suggests it was a test for something
more sinister.

The concern about Crash Override* is that it could be used
to “automate mass power outages” on a far grander scale than Kiev, according to
Andy Greenberg at WIRED.
Experts believe the malware is crafted in such a way that components can be
swapped in and out to adapt it for use against multiple electric utilities
around the world, not just in Ukraine. In addition, the weapon can “speak”
directly to grid components to shut power off or turn it back on, meaning it can
cause blackouts quickly, with fewer people in the loop.

So what does this mean for the nuclear space? After all, the
target in the December 2016 attack was an electric utility in Ukraine. How does
this zoom out to the international nuclear community?

Crash Override illustrates that well-resourced and
determined attackers are setting their sights on critical infrastructure. In this
case, electrical utilities were targeted. In the future, a similar cyber weapon
could be re-tooled and re-purposed for deployment against a vulnerable nuclear
facility.

As renowned cryptographer Bruce
Schneier says, technology is constantly evolving,
especially in the cyber world: “Today’s NSA secrets become tomorrow’s
PhD theses and the next day’s hacker tools.” In other words, as more people get
access to a weapon, it can be modified and used for any number of
purposes. 

If the Stuxnet virus past is any prologue, Crash Override is
no one-trick pony.

*Cybergeeks will recognize the movie reference, but for those who
don’t know, see the 1995 cult classic Hackers, one of
Angelina Jolie’s first films.

For more on NTI’s work in the cyber arena, read our report, Outpacing Cyber Threats: Priorities
for Cybersecurity at Nuclear Facilities, which lays
out priorities for a new, overarching strategy to protect nuclear facilities.