Sonntag, 3. Februar 2013

Japan and Remote Control Stations, how Secure will they be to Cyber Attacks?


An fellow blogger had asked me about my opinion about Japan and Security issues that could be a threat arising from the newly planned remote control stations.  Because I think that this is a very interesting question, I would like to post my answer her, perhaps this is a good subject for discussion and and research.  


"This is a very important issue. In my projects where I am responsible for the cyber security, I do not allow remote control rooms outside the plant. This should be a requirement for all safety, non safety and operational I&C systems (all systems within the cyber security Zone model) to not have a network or internet connection to the outside). The reason is, that I see a lot of problems with a remote control or maintenance station unless, it fulfills very specific cyber security requirements. Let me give you a scenario. Usually, remote control stations do not have the same physical security measures’ as the plant has. They are not occupied all the time, so it is very easy to gain access. I do not know what the Japanese plans are, but let me include a picture of a remote control station from the US .

( I can not find that picture to save my life, but it shows a regular family home in the suburbs. This is supposed to disguised the fact, that this was a remote controlled substation)
 
That being said, it is the weakest and easiest access point for intruders or malicious indented people. Even though the Japanese are perhaps planning on using wired connections, they want to have the remote station to be able to control the systems, meaning one way communication via hard wire to the systems, meaning you can control the plant and the I&C systems from outside the plant. And what about hardening? Are they going to close non needed ports and vulnerabilities that could be exploited from a remote station? What if they do not use a hardwired connection, can you come and connect a laptop to the hub and gain access, do a traffic analysis and see packages and assign yourself an IP address and gain access to the network and see other remote stations on the grid? As you see, there are too many questions. I would definitely have strict requirements such as:
  • Physical protection and security at all times
  • Occupation of the station with personal at all times
  • Risk analysis
  • Cyber security requirements (I am unclear on what regulations they would use as a basis)
  • Us hardened systems and perhaps a data diode if necessary for one way data exchange (monitoring purposes)
  • Design safety I&C in that manner that you can send via hard wire commands to ignore all other system interactions and commands and execute the emergency action.
  • Or only allow a connections to the hard wired emergency back up systems
 I mean, they should defiantly be required to do a cyber security not safety but security detailed analysis with different attack way scenarios to get a clear picture of the requirements and controls needed.
 
 Manolya Rowe

Introduction to Nuclear Cyber Security



Introduction
The development of nuclear energy accompanied the invention of the computers, which brought about a development that we would call the Third Industrial Revolutio. This development generated a complex of economic, political, social effects that is in some cases like in the case of power plant safety, considered national security. In this content, power plants belong to the ICS category.  Industrial control system (ICS) is a vague term to describe several types of control systems used in industrial production such as in electric, gas or water plants, as well as supervisory control and data acquisition (SCADA) systems, distributed control systems [use fully qualified domain names (FQDN) ](DCS), and other control systems (Wikipedia, 2011). All of these are defined as critical infrastructures and are considered national security objects. These infrastructures need to be protected for cyber incidents, which is defined by the NIST as: “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits (FIBS PUB, 2006).[2] These threads might be intentional melisouse ? attacks or unintentional by caused by untrained or careless employees. In addition modern networking and communication technologies used to improve also create new cyber vulnerabilities. Care must be exercised in the selection, implementation, and operation of cyber-vulnerable ICS technologies.

Freitag, 23. November 2012

How real is the risk?

One question that comes up in the industry over and over again is: "How real is the cyber threat to the Nuclear industry, or the I&C systems really?". I do understand that this is a legitimate question, especially since Cyber Security was until the last couple of years, not one of the biggest nuclear concerns. Hackers and other malicious people, where most likely not interested in hacking in to a NPP or an I&C system, since these systems existed in closed networks with no connection to the internet. That was and still is a wide spread belief.

The physical protection and safety measures of the facility had dealt with any unwanted intruders just fine. The systems are locked up and unreachable, so what the hype about?
"We have always done it this way, we don't need anything extra fancy, a new movement called IT Security, that will take time and cost to much money. Thank you, but no thank you."

There are two major problems I have with this:
One:
Physical protection does not protect against the insider threat and does not protect against digital intrusion.

Two:
SCADA and I&C systems SW is not patched and upgraded as well as commercial systems are, because of the same false sense of security that has been haunting the industry for many years.[ref 1]

The question: "Do we really need cyber security,"  is really ignorant to me and not really excusable. In today's capitalistic economy, with our most precious assets being electricity,  power grids, water and waste, gas and transportation ect..., we shall not forget that these systems and facilities are being converted to run with digital I&C or already run with digital I&C. So looking back, the question of "Do we really need Cyber  Security," appears rather unnecessary and foolish to me.

The treat is real. I don't want to be the one that delivers the bad news, but I&C systems do face real cyber threats. Here are a couple of reasons :

  1. The facility and systems may be connected to a remote control station for vendor updates.
  2. Systems are not as regularly patched like commercial systems after commissioning. SW updates or changes happen only once in a blue moon, especially for sub systems and maintenance systems running with COTS.
  3. The Utility may not have a System Security Plan.
  4. The employees may be vulnerable for social engineering due to no or insufficient IT Security Training. 
[Ref 1] [Ref 2]    
That being said, you can "Google" I&C hacks and find out instantly about some incidents you can read up on. The British Columbia Institute of Technology (BCIT) keeps a database of accidental and intentional cyber incidents, that affect control systems.

  • In 2004 they had cataloged 34 incidents 
  • They are at least 100 industrial cyber incidents a year (Extrapolating)

According to the Computer Security Institute and the FBI, most incidents go unreported, especially when small breaches happen.The BCIT data shows an increasing trend of incidents perpetrated by outsiders. Example:

  • 31% being responsible during the 1980-2000 period
  • 70% being responsible during the 2001-2003 period 
Records of actual incidents include examples of any security breach possible, except terrorist threats. [Ref 3]

Here are some of I&C hack examples:

  • SCADA raiders [Ref 4]:
This was an experiment and it showed how easy the systems of an U.S NPP could be compremised through a remote control station and some open source SW.
  • The slammer worm [Ref 5]:
The Davis-Base Nuclear Plant (Ohio) got hit by the SQL Slammer worm in January of 2003, after the NPP was of-line for almost a year for safty repairs and upgrates. The worm infected and disabled their:
  • Safty Parameter Display System for five houers
  • Plant Proccess Computer for six hours
Both monitoring systems had analog back up that where not affected. The worm reach the systems through a remote contractors link to the corporate network, which at some point connected to the I&C systems.
  •  Stuxnet virus:
Attacked a Siemens S7 system in 2010 in an Iranien NPP. The virus was very complex and went undetected  for couple of month. There is much controversy about how the virus was engineered and reach the systems. A good place for more information is to watch my friends Ralph Langers youtube videos about the virus.
  • Australia's Maroochy Shire Council Hack [Ref 1]:
The Council's sewer pumping station was attacked by an insider, as supervisor for contractors installing a SCADA system for a sewer system with 150 pumping stations. 
The damage was that alarms were turned off, loss of communication, pumps where not activating at appropriated times and release of raw sewage in to the drinking water. Mr. Vitek Boden hacked in to the facility from his car, using a data radio that he stole from his former employer and one of the local processors he had also stolen. 
These few examples should show that I&C hacks and treats are real. I am sure current data is even more overwhelming.


Fact is, to realize that NPP's digital assets are becoming more interesting targets for attackers is the right way of thinking. So stay ahead of the game, evaluate and implement IT Security, Utility wide and system specific.


Manolya Rowe

References:

  1. http://www.sans.org/reading_room/whitepapers/warfare/security-critical-infrastructure-scada-systems_1644
  2. http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
  3. http://www.bcit.ca/
  4. Wil Allsopp, 2009, Unauthorized access, John Wiley and Son publishing.
  5. http://de.wikipedia.org/wiki/SQL_Slammer  


Privacy
The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.
Blog Comments
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;
1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
Terms and Conditions
All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute  as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. This policy is subject to change at anytime.

Donnerstag, 22. November 2012

Welcome,

I just want to take the opportunity to say thank you for coming around my blog. I am an IT Security professional, with a passion for nuclear digital systems security. In my blogs, I want to go over how to implement the right security program for individual systems, system architectures and entire Nuclear Power Plants (NPP). Buzz words like; risk ownership, level of security, residual risk and security analysis should steer up some good conversations and discussions.

IT Security in it self is a very new field, and it is even newer in the nuclear industry. There are many unanswered questions. What is the best IT Security program for my facility, how much protection do I need, what do I need to do, to get my security program approved by the authorities? To me, these questions are exciting and fun, it lays down the groundwork for research and I have to say, I love research. Nevertheless, IT Security or Cyber Security at Nuclear Power Plants are serious, sensitive topics, that are not discussed openly in public.
The key to a better future is knowledge, transparency and building trust. That is why I decided to start this blog.

Hope you will enjoy.

Sincerely

Manolya Rowe  

Privacy
The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.
Blog Comments
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;
1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
Terms and Conditions
All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute  as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. This policy is subject to change at anytime.