How to Hack A Nuclear Power Plant

Hacking A Nuclear Power Plant with ANDRAX

How to hack a Nuclear Power Plant using ANDRAX Hacker's Platform

ATTENTION!!!

This article is for learning purpose ONLY!

Can a Nuclear Plant be Hacked?

The short answer is YES! The extended one: Is harder than a normal Hack not by the complexity but by the limited acknowledgement of this topic.

99.9% of people are in their homes without imagining what is going on outside…

People trust that the security of their lives is guaranteed by the government and/or private organizations. Physical security is no longer the biggest concern of a government or company, but cyber security!

Have you heard of the biggest nuclear accident in the world?

Chernobyl Reactor 4

Chernobyl disaster was a nuclear accident that occurred on Saturday, 26 April 1986, at the No. 4 reactor in the Chernobyl Nuclear Power Plant, near the city of Pripyat in the north of the Ukrainian. It is considered the worst nuclear disaster in history both in terms of cost and casualties.

In 2005, it predicted a further 4,000 might eventually die as a result of the radiation exposure.

The ionizing radiation levels in the worst-hit areas of the reactor building have been estimated to be 5.6 roentgens per second (R/s), equivalent to more than 20,000 roentgens per hour. A lethal dose is around 500 roentgens (~5 Gray (Gy) in modern radiation units) over five hours, so in some areas, unprotected workers received fatal doses in less than a minute.

Do you know about STUXNET?

STUXNET

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.

But what do these two events have in common?

You’ll see throughout the article…

From Virtual to Physical World

STUXNET was the first computer virus (that we know) to interact with the physical world, can imagine that? A computer virus, that can manipulate physical componentes to cause real physical damage… Come on, this is cool!

How a Nuclear Plant works?

How to Hack A Nuclear Power Plant

Looking at the image above we can see in a simple way how a nuclear power plant works.

Step by Step:

  1. Reactor heats water inside the core.
  2. The water overheats and becomes steam.
  3. The primary condenser exchanges heat with the core to generate steam that will spin the turbine.
  4. The turbine rotates with the pressure of the steam generating electrical energy.
  5. The secondary condenser cools the steam from the turbine, which returns to the primary condenser, cooling the steam from the core.
  6. The secondary condenser is cooled by cold water from the cooling tower, which in turn releases the vapor from the secondary condenser.

This is basic concept of a Nuclear Reactor in a Nuclear Power Plant…

In this scenario we have two critical systems that can never fail: The Reactor cooling system and the Reactor control system.

What happen if one of those systems fails?

The Reactor meltdown and we have another disaster like Chernobyl disaster.

All nuclear power plants in the world have already been hacked by countries like the United States and China.

These countries maintain backdoors at the plants hoping for a possible war to destroy the plant’s infrastructure and cause radiation deaths, as exposed by Edward Snowden in his files.

That is why governments and private companies in the control of nuclear power plants should be more concerned with the safety of the installations.

How to Hack A Nuclear Power Plant?

The reactor control system is in most cases inaccessible so let’s focus on the reactor cooling system…

The pumps are our target, especially the pump of the primary condenser, Why? Simple, the pump is inside the “Reactor zone” all in this zone is radioactive. So is obviously a high priority target to make the Reactor meltdown and explode!

Wait, are you talking about hack a PUMP?

Again THIS IS AN ETHICAL ARTICLE, I’m just showing how is possible… simple like that!

How these pumps are controlled?

By an Industrial Control System variant in 99% of cases is SCADA, largely used in industrial: Robots that mount cars, Traffic lights…

SCADA systems are extremely vulnerable for thousands of attacks… but is hard to upgrade to modern portrocols or standards because most systems that use SCADA can’t be stoped for a long time like Power Plants.

For security reasons these system are not exposed to the internet, they are restricted for the internal network!

Still, STUXNET was able to destroy the Iranian nuclear program … How?

STUXNET was deployed in Iran’s uranium enrichment facilities through internal monitoring systems.

Internal Monitoring Systems

As mentioned before, SCADA systems are restricted to the internal network but it is very common to see internal monitoring systems exposing these systems to the internet, the most common ones being RDP and SDN.

Sometimes the government or department responsible for the facility requires these systems to monitor and record internal activities.

Software Defined Networks

In the image below you can see the structure of an SDN (ANDRAX can hack SDN networks natively).

Software Defined Network

As soon as we invade and manage to position ourselves between the SDN interfaces, we will scan the internal network for targets.

I will not explain the step by step of how to break into an SDN because it is something simple, if you do not know take a look at our training: Advanced Hacking Training.

Nuclear Power Plant Simulator

For obvious reasons I can’t blow up a real Nuclear Reactor, so I made a simulator based in my real world Penetration Testings in Nuclear Power Plants. More precisely a simulator of the Reactors Cooling System.

Reactor Simulator

[ You can find the simulator your Training Dashboard, in the resources tab ]

In the simulator we can see the process of cooling starting with the “Turbine pump” and the “Reactor water pump.”

Three Sensors are connected to our registers this mean that we will have three readings in the simulator, one for Turbine RPM and one for each pump.

How this works?

The simulator has been developed to work in the same way that a real cooling system.

Our target is the pump in “Reactor’s zone”, so this pump has a nominal RPM of 27,000 and a STEP of 500 RPM, but what is the “STEP” is an adjust that the sensors make, in case the speed is under than 27,000 RPM the controller will STEP “over”, in case the speed is over than 27,000 RPM the controller will STEP “down”… so simple!

Scanning the Network

We already inside the Nuclear Power Plant network by the SDN hack… so now we need discover more about the devices in this network.

Running a nmap scan we can detect an interesting host with the IP: 10.0.0.75, now let’s scan this device for open ports.

Reactor Cooling System Scan

YEAH! Our scan found a really interesting port. 502 is officially the port for mbap (Modbus Application Protocol).

Let’s investigate more using nmap:

Reactor Cooling System Scan

Here we will go! To eliminate false positives we will use modscan to get more information about.

Reactor Cooling System MODSCAN

Thats it! We have the confirmation that this device is an RTU… but, WTF is MODBUS?

MODBUS Introduction

Modbus is a data communications protocol for use with its Programmable Logic Controllers (PLCs). Modbus has become a de facto standard communication protocol and is now a commonly available means of connecting industrial electronic devices.

The Modbus protocol uses character serial communication lines, Ethernet, or the Internet protocol suite as a transport layer.

Modbus is often used to connect a plant/system supervisory computer with a Remote Terminal Unit (RTU) in Supervisory Control and Data Acquisition (SCADA) systems in the electric power industry. Many of the data types are named from industrial control of factory devices, such as Ladder logic because of its use in driving relays: A single physical output is called a coil, and a single physical input is called a discrete input or a contact.

Hacking the PUMP

If I was a attacker from another country or just hired to do that my goal would be meltdown the reactor, cause an explosion and/or radiation leak… in any case this involves physical damage of the reactor.

Has two actions that we can perform here…

As we know that the RTU controller will STEP “over” or STEP “down” in case the speed of the fan is not nominal, we can change the speed in the sensor… so the controller will think that the speed is “lower” (for example) and will start the STEP “over” action trying to elevate the fan speed to nominal speed again…

Let’s see some example in images:

STEP Down

If we change the nominal speed in the sensor to a FAKE High Speed, the controller will try STEP the speed down sending commands to the pump PLC to reduce the speed, if we continue to send FAKE High Speed to the controller it will continue sending STEP down commands to the pump PLC… if this continues for some time the pressure inside the Reactor will become critical very fast, more fast than the controllers can handle it to the core will meltdown and the reactor will explode!

Reactor Cooling System STEP Down

STEP Down ATTACK

Remember that as an attacker we can’t see the simulator screen or the Control Panel Screen in a real world.

So we will use mbtget inside ANDRAX to read the values in registers…

Reactor Cooling System mbtget

As you can see, we have three registers, just looking at it we can determine that the Reactor’s pump register is the register 0.

The register 1 is the secondary condenser pump and the register 2 is the turbine RPM.

Now let’s start our STEP Down ATTACK, we will write to the sensor register saying that the Speed is 35.000 RPM as this speed is Higher than the nominal Speed, the controller will try STEP Down until the Reactor’s pump stop completely… the result of this you will see…

Reactor Cooling System STEP DOWN ATTACK

When we start our attack, the controller appears like this:

Reactor Cooling System STEP DOWN ATTACK

As you can see the RPM Sensor shows 35.000 RPM but the FAN RPM is 11.500 RPM and downgrading… Why? Because the STEP down command that the controller is sending to the pump PLC.

If the attack persists, this is the result:

Reactor Cooling System STEP DOWN ATTACK

The Reactor Blow up… 1.890 people die in the explosion. The Radiation is now at 5.22 Roentgens per second…

This is a result that can happen in the same way in the real world!

STEP Over ATTACK

The opposite of STEP Down but with the same mode of operation, we will say that the speed is below the nominal, thus making the controller send STEP Over commands to the pump’s PLC.

The pressure inside the core will increase and even if it does not reach the limit of the reactor core, the pump will explode due to the RPM limit, consequently the reactor will also explode due to the water flow being interrupted!

Reactor Cooling System STEP Over

Sending FAKE Speed commands for the sensor:

Reactor Cooling System STEP OVER ATTACK

The controller is now STEPPING Over the speed…

Reactor Cooling System STEP OVER ATTACK

And the Reactor blow up again…

Reactor Cooling System STEP OVER ATTACK

Now because we reach the limit of pump’s RPM… The same disaster but using 2 different attacks in the same vector…

Conclusion

In this article we could see how fragile is our security… and that we need a lot of improvements to prevent new disasters… It is only a matter of time for an attacker with good reason carry out this type of attack in important and dangerous facilities such as nuclear power plants.

Wanna become a Ethical Hacker?

Would you like to become a Hacker? Make money with Hacking and have the most advanced knowledge?

Take a look in our Advanced Hacking Training The most Advanced and Complete Penetration Testing and Ethical Hacking Training ever made.

Advanced Hacking Training