Malware blamed for data leak at nuclear plant

A computer in the control room of the Monju fast-breeder reactor was infected by malware earlier this month, after an employee updated video software.

The Monju fast-breeder reactor is once again facing the regulatory firing squad.

Built in the mid-1990's, the facility - located in Japan's Tsuruga, Fukui Prefecture - has faced several regulatory problems, including poor ratings for safety and security. After it was built, the sodium-cooled fast breeder reactor ran fine for a few months before a catastrophic fire led to a 15 year shutdown. A restart was attempted in 2010, but that too had problems, and the plant has been mostly non-operational since then.

In November 2013, the plant faced the scorn of Japan's Nuclear Regulation Authority, who told the nation's Atomic Energy Agency that Monju's anti-terrorism measures were lacking. In fact, the regulatory authority came down hard on Monju's violations regarding security guidelines meant to protect nuclear materials. Now, just a few months after entering the governance dog house, the JAEA is dealing with another problem at Monju.

On January 2, an administrator at the Monju reactor noticed that one of the eight computers in the control room had been accessed more than 30 times within the previous five days, along with signs that the system had been communicating with the outside.

Subsequent investigations into the matter uncovered a virus, which according to reports from the Tokyo Broadcasting Station (TBS) [Alt. Link], was likely installed by an employee who was updating video player software. It's unknown if the software was malicious to begin with, or if the employee was tricked into installing a fake video codec.

The data leak that occurred because of the incident is being downplayed some by Japan's media and the JAEA. Reports note that the only information likely to have been obtained were internal email communications and training materials. The JAEA is investigating further in order to ascertain exactly what was accessed, but there were more than 42,000 documents on the infected system.

The incident shines light on an increasingly important topic for those in the Industrial Control Systems community; awareness and control. What happened at Monju shows a need for control over the software that's installed on a control room's system, and who can manage it. Moreover, it shows a need for visibility into what's happening on the network, and visibility into what systems are able to communicate with the outside and controlling (or blocking) such access as needed.

Given the problematic history at Monju, an infected computer might not rate high on the threat scale, but it's surely a sign of much larger and more serious problems.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?