Info sharing takes a hit in nuclear breach notification
- By Sean D. Carberry
- Jul 10, 2017
Although the recently disclosed cyber intrusions at U.S. nuclear power plants did not pose a public safety risk, the resulting reporting may have damaged information sharing between government and critical infrastructure owners, experts and former officials said.
On June 28, the FBI and the Department of Homeland Security notified power providers of ongoing cyber intrusions at a number of facilities dating back at least a month. The attacks used sophisticated spear-phishing campaigns to attempt to steal credentials from senior control engineers, according to reports in the New York Times and Bloomberg.
Federal regulations require a nuclear power plant to provide notice to the government within hours of the detection of a cyber intrusion that either poses or could pose an immediate safety threat. In this case, the intrusions on the business network did not rise to the level of triggering the reporting requirement. Additionally, control systems at nuclear power plants are not connected to business networks or the internet, Nuclear Energy Institute officials said.
Both NEI and DHS said there are ongoing operations to secure the computers and systems affected by the intrusions. But former officials said the government also has damage control to do on the information-sharing front.
In the initial alert sent to the power sector, DHS mentioned one affected nuclear plant, Wolf Creek near Burlington, Kan., by name. That goes against protocols designed to strip out or anonymize information about victims of cyber incidents.
"That is the kind of thing the private sector complains about," said former White House cybersecurity coordinator Michael Daniel. He said that from his experience, the government doesn't have a history of leaking personal information, and in fact it is usually the private sector that does.
"[This disclosure] is sort of the exception that proves the rule," said Daniel, who is now president of the Cyber Threat Alliance.
Given the vast amount of private infrastructure and limited resources of the government, Daniel said information sharing is critically important, and both sides must work together in the face of growing cyber threats.
While the NEI said there is robust information sharing between the government and industry, other critical infrastructure sectors have expressed concerns that the government over-classifies information, does not share relevant data in a timely fashion and often does not provide context that is needed by industry.
Many in the private sector have stated that they simply do not trust the government, in particular DHS, to protect sensitive information.
"Trust is an obstacle in all types of information sharing relationships and that includes industry and government when stakeholders aren’t familiar with each other," said Ryan Gillis, a vice president at Palo Alto Networks and a former NSC cybersecurity official.
"DHS is going to have to take a look at the quality-control process and figure out how to try to keep continuing to improve that so it doesn't happen again," said Daniel.
"This could make it harder to recruit new partners for sure," said a former DHS senior official who spoke on condition of anonymity. "I don't think it will change existing relationships, but sadly programs like [automated information sharing] need to grow to be successful and sustained."
"The timing of this kind of flub is bad," said the former official, who added that this will likely result in oversight committees "asking pointed questions around protecting sources."
DHS was unable to explain why it disclosed Wolf Creek's name in violation of its protocols or detail the steps being taken to prevent future releases of personal information.
This article was first posted to FCW, a sister site to GCN.
Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.