Sonntag, 3. Februar 2013

Japan and Remote Control Stations, how Secure will they be to Cyber Attacks?


An fellow blogger had asked me about my opinion about Japan and Security issues that could be a threat arising from the newly planned remote control stations.  Because I think that this is a very interesting question, I would like to post my answer her, perhaps this is a good subject for discussion and and research.  


"This is a very important issue. In my projects where I am responsible for the cyber security, I do not allow remote control rooms outside the plant. This should be a requirement for all safety, non safety and operational I&C systems (all systems within the cyber security Zone model) to not have a network or internet connection to the outside). The reason is, that I see a lot of problems with a remote control or maintenance station unless, it fulfills very specific cyber security requirements. Let me give you a scenario. Usually, remote control stations do not have the same physical security measures’ as the plant has. They are not occupied all the time, so it is very easy to gain access. I do not know what the Japanese plans are, but let me include a picture of a remote control station from the US .

( I can not find that picture to save my life, but it shows a regular family home in the suburbs. This is supposed to disguised the fact, that this was a remote controlled substation)
 
That being said, it is the weakest and easiest access point for intruders or malicious indented people. Even though the Japanese are perhaps planning on using wired connections, they want to have the remote station to be able to control the systems, meaning one way communication via hard wire to the systems, meaning you can control the plant and the I&C systems from outside the plant. And what about hardening? Are they going to close non needed ports and vulnerabilities that could be exploited from a remote station? What if they do not use a hardwired connection, can you come and connect a laptop to the hub and gain access, do a traffic analysis and see packages and assign yourself an IP address and gain access to the network and see other remote stations on the grid? As you see, there are too many questions. I would definitely have strict requirements such as:
  • Physical protection and security at all times
  • Occupation of the station with personal at all times
  • Risk analysis
  • Cyber security requirements (I am unclear on what regulations they would use as a basis)
  • Us hardened systems and perhaps a data diode if necessary for one way data exchange (monitoring purposes)
  • Design safety I&C in that manner that you can send via hard wire commands to ignore all other system interactions and commands and execute the emergency action.
  • Or only allow a connections to the hard wired emergency back up systems
 I mean, they should defiantly be required to do a cyber security not safety but security detailed analysis with different attack way scenarios to get a clear picture of the requirements and controls needed.
 
 Manolya Rowe

Introduction to Nuclear Cyber Security



Introduction
The development of nuclear energy accompanied the invention of the computers, which brought about a development that we would call the Third Industrial Revolutio. This development generated a complex of economic, political, social effects that is in some cases like in the case of power plant safety, considered national security. In this content, power plants belong to the ICS category.  Industrial control system (ICS) is a vague term to describe several types of control systems used in industrial production such as in electric, gas or water plants, as well as supervisory control and data acquisition (SCADA) systems, distributed control systems [use fully qualified domain names (FQDN) ](DCS), and other control systems (Wikipedia, 2011). All of these are defined as critical infrastructures and are considered national security objects. These infrastructures need to be protected for cyber incidents, which is defined by the NIST as: “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits (FIBS PUB, 2006).[2] These threads might be intentional melisouse ? attacks or unintentional by caused by untrained or careless employees. In addition modern networking and communication technologies used to improve also create new cyber vulnerabilities. Care must be exercised in the selection, implementation, and operation of cyber-vulnerable ICS technologies.

Freitag, 21. Dezember 2012

Implementing Cyber Security at Nuclear Power Plants


As of February 2, 2012 there were 439 nuclear power plants in operation world wide. Most of these existing NPP where constructed between the 1960 and 2000 [Ref1]. These NPP are controlled primarily by analog systems that for one produce less energy and second analog systems are resistance to cyber attacks. But with the turn of the century, the increased demand on energy and the positive effort of reducing carbon emissions lowering and fighting global warming, newer and more productive NPP with digital systems where designed. At the same time, older NPP increasingly relay  on computers to run auxiliary and monitoring systems. 



That is why I wrote about the importants of cyber security for nuclear power plants in my last blog. Now it is time to spend some thought on how to accomplish the task of cyber security and deciding on a good security program, that will cover the NPP needs. The main point is to establish a fitting cyber security architecture that lines out all the areas and needs of the a specific NPP or maybe even a group of systems. To put it in very simply, how you build your security architecture will most likely depend on the following 4 basic questions:  

1. Why
2. What
3.When
4. How

The answers to each of these questions will depend on the current state of the utility and the future plans. As an example;

1. Why

Most likely,  a NPP or utility has to implement or extent its cyber security program for the following reasons:

1) The older analog systems will be updated to new digital programmable systems
2) The NPP is a new build or has a new extension
3) The regulatory bodies ask you for it to include cyber or IT-security to complement the safety program
4) Internationally it is becoming the norm and is expected in today's digital operational environment
5) To achieve a state of the art nuclear operation that has an positive reflection on your nuclear program

With these question's answered the next question should answer more details:
2. What


Here you can use a top down approach, to analyse the security programs implementation scope. A good point to start is to evaluate each safety zone and determine if there is a need for security implementation. To divide it in three main areas would be:


1) External Network infrastructure (internet, remote business pears or back up control center)
2) Corporate LAN
3) Control Systems LAN

The controle systems LAN then could be broken down further:

1) I&C Architecture and Network (According to operational areas and safety zones for example)
2) System
3) Subsystems
4) Software components

With the increase of computers and digital systems and several security concerns mentioned in the previous article, like the US based slammer worm and the Stuxnet virus in Iran for example, the demand on cyber security to complete nuclear safety has increased in the last couple of years massively and the attention of regulatory bodies like the IAEA and the NRC directed at cyber security at nuclear power plants. 


Now the question of "When" is not easily answered for the general public. On a very generic basis, it can be assumed that the Utility wants to update I&C systems, because they like to be more productive. According to the IAEA "Progress in electronics and information technology (IT) has created incentives to replace traditional analog instrumentation and control (I&C) systems in nuclear power plants with digital I&C systems, i.e. systems based on computers and microprocessors. 

Digital systems offer higher reliability, better plant performance and additional diagnostic capabilities. Analog systems will gradually become obsolete in the general IT shift to digital technology. About 40% of the world’s operating reactors have been modernized to include at least some digital I&C systems. Most newer plants also include digital I&C systems." [Ref 2]


The change from analog to digital I&C systems has posed new challenges for the industry and regulators, who have had to create new regulations, data, and develop methods to guide, lead and assures safe operations for utilities. It is essential that the new systems meet all reliability and performance requirements of course, but also meet the cyber security requirements, that ensures safe operations. This leads to the last question of "How".

How do Utilities, suppliers and operators implement Cyber Security programs and how much is enough. This  is a difficult question and a much more difficult task, because the subject of cyber security of NPP's is a very new one and is still developing from year to year. There will be some cyber security programs for NPP's that can be used as an example, but for now, each risk owner is responsible to handle it's own risk and master the exciting challenges with the help of regulatory guidance. Although there are not yet specific regulatory guidelines for cyber security for I&C systems for NPP's, except in the USA, the regulations of the IEC 63513 and the IAEA # 17 NS[Ref 3] give a good overview, what is demanded from a good cyber security program. The following is a short summery of the information that can distract from these regulations, for example:

  • develop a security program and have trained security professionals
  • implement IT security training for all that deal with digital assets
  • implement cyber security in each project that has critical digital assets
  • develop a cyber security program that covers the entire life cycle of the project and system development
  • develop cyber security requirements for design, implementation and operation   

Most likely different countries will have different regulations they will use. How much security you have to implement should not be measured by political debates and be determined by the number of physical protection layers assigned, but should be based on an risk assessment that outlines the real time risk, security measures already implemented and impact in case of a cyber security problem. Implementing this kind of detailed and transparent security program will not only make the single systems secure, but ensure a state of the art and safe operation on a global scale. 


The following websites are examples of research material for the electrical industry:      






 Reference:


  1. http://en.wikipedia.org/wiki/Nuclear_power_plant
  2.  Instrumentation and Control (I&C) Systems in Nuclear Power Plants: A Time of Transition :http://www.iaea.org/About/Policy/GC/GC52/GC52InfDocuments/English/gc52inf-3-att5_en.pdf
  3. www.iaea.org
The disclaimer from the "Welcome Page" is also 100%

Freitag, 23. November 2012

How real is the risk?

One question that comes up in the industry over and over again is: "How real is the cyber threat to the Nuclear industry, or the I&C systems really?". I do understand that this is a legitimate question, especially since Cyber Security was until the last couple of years, not one of the biggest nuclear concerns. Hackers and other malicious people, where most likely not interested in hacking in to a NPP or an I&C system, since these systems existed in closed networks with no connection to the internet. That was and still is a wide spread belief.

The physical protection and safety measures of the facility had dealt with any unwanted intruders just fine. The systems are locked up and unreachable, so what the hype about?
"We have always done it this way, we don't need anything extra fancy, a new movement called IT Security, that will take time and cost to much money. Thank you, but no thank you."

There are two major problems I have with this:
One:
Physical protection does not protect against the insider threat and does not protect against digital intrusion.

Two:
SCADA and I&C systems SW is not patched and upgraded as well as commercial systems are, because of the same false sense of security that has been haunting the industry for many years.[ref 1]

The question: "Do we really need cyber security,"  is really ignorant to me and not really excusable. In today's capitalistic economy, with our most precious assets being electricity,  power grids, water and waste, gas and transportation ect..., we shall not forget that these systems and facilities are being converted to run with digital I&C or already run with digital I&C. So looking back, the question of "Do we really need Cyber  Security," appears rather unnecessary and foolish to me.

The treat is real. I don't want to be the one that delivers the bad news, but I&C systems do face real cyber threats. Here are a couple of reasons :

  1. The facility and systems may be connected to a remote control station for vendor updates.
  2. Systems are not as regularly patched like commercial systems after commissioning. SW updates or changes happen only once in a blue moon, especially for sub systems and maintenance systems running with COTS.
  3. The Utility may not have a System Security Plan.
  4. The employees may be vulnerable for social engineering due to no or insufficient IT Security Training. 
[Ref 1] [Ref 2]    
That being said, you can "Google" I&C hacks and find out instantly about some incidents you can read up on. The British Columbia Institute of Technology (BCIT) keeps a database of accidental and intentional cyber incidents, that affect control systems.

  • In 2004 they had cataloged 34 incidents 
  • They are at least 100 industrial cyber incidents a year (Extrapolating)

According to the Computer Security Institute and the FBI, most incidents go unreported, especially when small breaches happen.The BCIT data shows an increasing trend of incidents perpetrated by outsiders. Example:

  • 31% being responsible during the 1980-2000 period
  • 70% being responsible during the 2001-2003 period 
Records of actual incidents include examples of any security breach possible, except terrorist threats. [Ref 3]

Here are some of I&C hack examples:

  • SCADA raiders [Ref 4]:
This was an experiment and it showed how easy the systems of an U.S NPP could be compremised through a remote control station and some open source SW.
  • The slammer worm [Ref 5]:
The Davis-Base Nuclear Plant (Ohio) got hit by the SQL Slammer worm in January of 2003, after the NPP was of-line for almost a year for safty repairs and upgrates. The worm infected and disabled their:
  • Safty Parameter Display System for five houers
  • Plant Proccess Computer for six hours
Both monitoring systems had analog back up that where not affected. The worm reach the systems through a remote contractors link to the corporate network, which at some point connected to the I&C systems.
  •  Stuxnet virus:
Attacked a Siemens S7 system in 2010 in an Iranien NPP. The virus was very complex and went undetected  for couple of month. There is much controversy about how the virus was engineered and reach the systems. A good place for more information is to watch my friends Ralph Langers youtube videos about the virus.
  • Australia's Maroochy Shire Council Hack [Ref 1]:
The Council's sewer pumping station was attacked by an insider, as supervisor for contractors installing a SCADA system for a sewer system with 150 pumping stations. 
The damage was that alarms were turned off, loss of communication, pumps where not activating at appropriated times and release of raw sewage in to the drinking water. Mr. Vitek Boden hacked in to the facility from his car, using a data radio that he stole from his former employer and one of the local processors he had also stolen. 
These few examples should show that I&C hacks and treats are real. I am sure current data is even more overwhelming.


Fact is, to realize that NPP's digital assets are becoming more interesting targets for attackers is the right way of thinking. So stay ahead of the game, evaluate and implement IT Security, Utility wide and system specific.


Manolya Rowe

References:

  1. http://www.sans.org/reading_room/whitepapers/warfare/security-critical-infrastructure-scada-systems_1644
  2. http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
  3. http://www.bcit.ca/
  4. Wil Allsopp, 2009, Unauthorized access, John Wiley and Son publishing.
  5. http://de.wikipedia.org/wiki/SQL_Slammer  


Privacy
The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.
Blog Comments
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;
1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
Terms and Conditions
All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute  as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. This policy is subject to change at anytime.

Donnerstag, 22. November 2012

Welcome,

I just want to take the opportunity to say thank you for coming around my blog. I am an IT Security professional, with a passion for nuclear digital systems security. In my blogs, I want to go over how to implement the right security program for individual systems, system architectures and entire Nuclear Power Plants (NPP). Buzz words like; risk ownership, level of security, residual risk and security analysis should steer up some good conversations and discussions.

IT Security in it self is a very new field, and it is even newer in the nuclear industry. There are many unanswered questions. What is the best IT Security program for my facility, how much protection do I need, what do I need to do, to get my security program approved by the authorities? To me, these questions are exciting and fun, it lays down the groundwork for research and I have to say, I love research. Nevertheless, IT Security or Cyber Security at Nuclear Power Plants are serious, sensitive topics, that are not discussed openly in public.
The key to a better future is knowledge, transparency and building trust. That is why I decided to start this blog.

Hope you will enjoy.

Sincerely

Manolya Rowe  

Privacy
The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.
Blog Comments
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;
1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
Terms and Conditions
All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute  as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. This policy is subject to change at anytime.