The US Nuclear Regulatory Commission (NRC) has been hacked three times in the past three years, a report has revealed.
Two of the attacks have been attributed to criminals of foreign descent, while the third attacker has not been identified, according to an inspector general report obtained by Nextgov through a public records request.
The NRC maintains high-value data, including the location and condition of nuclear reactors, and inventories of plants that handle weapons-grade materials.
But US agencies are not required to report data breaches, unless there is evidence that personal information has been exposed.
The executive order called for a framework for assisting organisations responsible for critical infrastructure services to manage cyber security risk.
Like the UK, a large proportion of US organisations responsible for critical national infrastructure, such as electrical power and water supplies, are private sector companies.
According to the NRC report, one of the hacking incidents involved phishing emails aimed at harvesting logon credentials, by asking staff to verify their user accounts by clicking on a link and logging in.
The NRC cleared the computer systems and changed the user profiles of about a dozen staff members who clicked on the link despite an annual cyber security awareness training programme.
NRC staff members were also targeted using spearphishing emails that linked to malware, the report said, while in one case the attackers broke into a staff member’s email account.
The first stage to any targeted attack is information gathering and preparation, according to Andrey Nikishin, special projects director of future technologies at Kaspersky Lab.
“Attackers will scour social media for information on staff who can be targeted through well-crafted email phishing attacks,” he said.
The NRC report reveals that investigators have been unable to identify the source of the attack in which the email account was compromised because all relevant log records had been destroyed.
The report is based on an investigation into potential compromises of NRC computers from 2010 to November 2013.
Investigators identified a total of 17 compromises or attempted compromises. A follow up investigation is reportedly planned at the NRC before the end of 2014.
An NRC spokesman said the agency’s security office detects and thwarts the vast majority of attempted cyber attacks, and that the “few attempts” documented by the report had been detected and “appropriate measures” had been taken.
Read more on critical national infrastructure
- US researchers find 25 security vulnerabilities in SCADA systems
- Critical infrastructure providers are less engaged with government cyber protection
- Government to monitor companies supporting critical national infrastructure
- Is UK critical national infrastructure properly protected?
- Cyber security study reveals mismatch between awareness and preparedness
- Critical infrastructure security in dire need for standards