An fellow blogger had asked me about my opinion about Japan and Security issues that could be a threat arising from the newly planned remote control stations. Because I think that this is a very interesting question, I would like to post my answer her, perhaps this is a good subject for discussion and and research.
"This is a very important issue. In my projects where I am responsible for the cyber security, I do not allow remote control rooms outside the plant. This should be a requirement for all safety, non safety and operational I&C systems (all systems within the cyber security Zone model) to not have a network or internet connection to the outside). The reason is, that I see a lot of problems with a remote control or maintenance station unless, it fulfills very specific cyber security requirements. Let me give you a scenario. Usually, remote control stations do not have the same physical security measures’ as the plant has. They are not occupied all the time, so it is very easy to gain access. I do not know what the Japanese plans are, but let me include a picture of a remote control station from the US .
( I can not find that picture to save my life, but it shows a regular family home in the suburbs. This is supposed to disguised the fact, that this was a remote controlled substation)
That being said, it is the weakest and easiest access point for intruders or malicious indented people. Even though the Japanese are perhaps planning on using wired connections, they want to have the remote station to be able to control the systems, meaning one way communication via hard wire to the systems, meaning you can control the plant and the I&C systems from outside the plant. And what about hardening? Are they going to close non needed ports and vulnerabilities that could be exploited from a remote station? What if they do not use a hardwired connection, can you come and connect a laptop to the hub and gain access, do a traffic analysis and see packages and assign yourself an IP address and gain access to the network and see other remote stations on the grid? As you see, there are too many questions. I would definitely have strict requirements such as:
- Physical protection and security at all times
- Occupation of the station with personal at all times
- Risk analysis
- Cyber security requirements (I am unclear on what regulations they would use as a basis)
- Us hardened systems and perhaps a data diode if necessary for one way data exchange (monitoring purposes)
- Design safety I&C in that manner that you can send via hard wire commands to ignore all other system interactions and commands and execute the emergency action.
- Or only allow a connections to the hard wired emergency back up systems