tag:blogger.com,1999:blog-6923256549617623062024-02-18T22:54:51.808-08:00Nuclear Cyber SecurityAnonymoushttp://www.blogger.com/profile/07051803130212266840noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-692325654961762306.post-22628379593601465842016-08-10T23:10:00.001-07:002016-08-10T23:28:18.879-07:00Blurry water tuned clear, the dust settled and distress about the personal threats gone with the wind.Dear Readers
It has been a while since I have touched my Blog. If you have been following me, you might have asked yourself:”What happened, why did she stop suddenly”?<br />
<br />
This is a good question and a valid one. I had many readers that appreciated the honest information. But, I also had some very troubling feedback. I was told to stop my blog or I was going to lose my job. Let’s call them “people from the industry” had issues with the information I provided due to paranoia. Lawyers got involved and the hustle and the headaches just became too much at the time.<br />
So I decided to let it rest.<br />
<br />
People came and went, lawyers came and went, jobs changed but my passion for nuclear cyber security never went away. Blurry water tuned clear, the dust settled and distress about the personal threats gone with the wind. In clear: I don’t give a $§/% anymore :-)!<br />
<br />
I truly believe that open communication, education and sharing of knowledge is the basis to strengthen cyber security in the industry. Therefore, I will start up my writings again and try to create a platform for questions, discussion and information for anybody who cares for the subject.<br />
<br />
Please help me with your comments and questions to pick up from where I left. I like to hear what questions you have about nuclear cyber security and what discussions you like to see get started.<br />
<br />
I want to say thank you to all my readers,that kept continuing to send me supportive messages and keep checking for new posts.
Anonymoushttp://www.blogger.com/profile/07051803130212266840noreply@blogger.com0tag:blogger.com,1999:blog-692325654961762306.post-70830628105956091192013-02-03T13:27:00.000-08:002013-02-03T13:27:35.473-08:00Japan and Remote Control Stations, how Secure will they be to Cyber Attacks?<br />
<span id="yui_3_7_2_1_1359921866212_10149" style="font-family: Arial;">An fellow blogger had asked me about my opinion about Japan and Security issues that could be a threat arising from the newly planned remote control stations. Because I think that this is a very interesting question, I would like to post my answer her, perhaps this is a good subject for discussion and and research. </span><br />
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Arial;">"This is a very important issue. In my projects where I am responsible for the cyber security, I do not allow remote control rooms outside the plant. This should be a requirement for all safety, non safety and operational I&C systems (all systems within the cyber security Zone model) to not have a network or internet connection to the outside). The reason is, that I see a lot of problems with a remote control or maintenance station unless, it fulfills very specific cyber security requirements. Let me give you a scenario. Usually, remote control stations do not have the same physical security measures’ as the plant has. They are not occupied all the time, so it is very easy to gain access. I do not know what the Japanese plans are, but let me include a picture of a remote control station from the US .</span><br />
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Arial;">( I can not find that picture to save my life, but it shows a regular family home in the suburbs. This is supposed to disguised the fact, that this was a remote controlled substation)</span><br />
<span style="font-family: Arial;"> </span><br /><span id="yui_3_7_2_1_1359921866212_10147" style="font-family: Arial;">That being said, it is the weakest and easiest access point for intruders or malicious indented people.</span><span style="font-family: Arial;"> </span><span id="yui_3_7_2_1_1359921866212_10144" style="font-family: Arial;">Even though the Japanese are perhaps planning on using wired connections, they want to have the remote station to be able to control the systems, meaning one way communication via hard wire to the systems, meaning you can control the plant and the I&C systems from outside the plant. And what about hardening? Are they going to close non needed ports and vulnerabilities that could be exploited from a remote station? What if they do not use a hardwired connection, can you come and connect a laptop to the hub and gain access, do a traffic analysis and see packages and assign yourself an IP address and gain access to the network and see other remote stations on the grid?</span><span style="font-family: Arial;"> </span><span id="yui_3_7_2_1_1359921866212_10154" style="font-family: Arial;">As you see, there are too many questions. I would definitely have strict requirements such as:</span><br />
<ul id="yui_3_7_2_1_1359921866212_10165" style="font-size: 16px; list-style-image: initial; list-style-position: initial; margin: 0cm 0px 1em; padding: 0px 0px 0px 40px;" type="disc">
<li class="yiv1854619536MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Arial;">Physical protection and security at all times</span></li>
</ul>
<ul id="yui_3_7_2_1_1359921866212_10165" style="font-size: 16px; list-style-image: initial; list-style-position: initial; margin: 0cm 0px 1em; padding: 0px 0px 0px 40px;" type="disc">
<li class="yiv1854619536MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Arial;">Occupation of the station with personal at all times</span></li>
</ul>
<ul id="yui_3_7_2_1_1359921866212_10165" style="font-size: 16px; list-style-image: initial; list-style-position: initial; margin: 0cm 0px 1em; padding: 0px 0px 0px 40px;" type="disc">
<li class="yiv1854619536MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Arial;">Risk analysis</span></li>
</ul>
<ul id="yui_3_7_2_1_1359921866212_10165" style="font-size: 16px; list-style-image: initial; list-style-position: initial; margin: 0cm 0px 1em; padding: 0px 0px 0px 40px;" type="disc">
<li class="yiv1854619536MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Arial;">Cyber security requirements (I am unclear on what regulations they would use as a basis)</span></li>
</ul>
<ul id="yui_3_7_2_1_1359921866212_10165" style="font-size: 16px; list-style-image: initial; list-style-position: initial; margin: 0cm 0px 1em; padding: 0px 0px 0px 40px;" type="disc">
<li class="yiv1854619536MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Arial;">Us hardened systems and perhaps a data diode if necessary for one way data exchange (monitoring purposes)</span></li>
</ul>
<ul id="yui_3_7_2_1_1359921866212_10165" style="font-size: 16px; list-style-image: initial; list-style-position: initial; margin: 0cm 0px 1em; padding: 0px 0px 0px 40px;" type="disc">
<li class="yiv1854619536MsoNormal" id="yui_3_7_2_1_1359921866212_10167" style="margin: 0cm 0cm 0pt;"><span id="yui_3_7_2_1_1359921866212_10166" style="font-family: Arial;">Design safety I&C in that manner that you can send via hard wire commands to ignore all other system interactions and commands and execute the emergency action.</span></li>
</ul>
<ul id="yui_3_7_2_1_1359921866212_10165" style="font-size: 16px; list-style-image: initial; list-style-position: initial; margin: 0cm 0px 1em; padding: 0px 0px 0px 40px;" type="disc">
<li class="yiv1854619536MsoNormal" id="yui_3_7_2_1_1359921866212_10164" style="margin: 0cm 0cm 0pt;"><span style="font-family: Arial;">Or only allow a connections to the hard wired emergency back up systems</span></li>
</ul>
<span style="font-family: Arial;"> </span><span style="font-family: Arial;">I mean, they should defiantly be required to do a cyber security not safety but security detailed analysis with different attack way scenarios to get a clear picture of the requirements and controls needed.</span><span style="font-family: Arial;"><br /></span><span style="font-family: Arial;"> </span><span style="font-family: Arial;"><br /></span><span style="font-family: Arial;"> </span><span id="yui_3_7_2_1_1359921866212_10159" style="font-family: Arial;">Manolya Rowe</span><br />
Anonymoushttp://www.blogger.com/profile/07051803130212266840noreply@blogger.com28tag:blogger.com,1999:blog-692325654961762306.post-90221710930835572412013-02-03T13:01:00.000-08:002013-02-12T04:49:18.141-08:00Introduction to Nuclear Cyber Security<br />
<br />
<span id="yui_3_7_2_1_1359921866212_10082" style="font-family: Times New Roman;"><b>Introduction</b></span><br />
<span id="yui_3_7_2_1_1359921866212_10084"><span style="font-family: Times New Roman;">The development of nuclear energy accompanied the invention of the computers, which brought about a development that we would call the Third Industrial Revolutio. This development generated a complex of economic, political, social effects that is in some cases like in the case of power plant safety, considered national security. </span><a href="http://www.blogger.com/" name="in_the" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px; text-decoration: underline;"></a><span id="yui_3_7_2_1_1359921866212_10083" style="font-family: Times New Roman;">In this content, power plants belong to the ICS category. <span class="yiv1854619536apple-style-span">Industrial control system (ICS)</span></span></span><span style="font-family: Times New Roman;"><span class="yiv1854619536apple-converted-space"> </span><span class="yiv1854619536apple-style-span">is a vague term to describe several types of</span><span class="yiv1854619536apple-converted-space"> </span></span><a href="http://en.wikipedia.org/wiki/Control_system" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px;" target="_blank" title="Control system"><span style="font-family: Times New Roman;">control systems</span></a><span style="font-family: Times New Roman;"><span class="yiv1854619536apple-converted-space"> </span><span class="yiv1854619536apple-style-span">used in industrial production such as in electric, gas or water plants, as well as supervisory control and data acquisition (</span></span><a href="http://en.wikipedia.org/wiki/SCADA" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px;" target="_blank" title="SCADA"><span style="font-family: Times New Roman;">SCADA</span></a><span style="font-family: Times New Roman;"><span class="yiv1854619536apple-style-span">) systems,</span><span class="yiv1854619536apple-converted-space"> </span></span><a href="http://en.wikipedia.org/wiki/Distributed_control_system" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px;" target="_blank" title="Distributed control system"><span style="font-family: Times New Roman;">distributed control systems</span></a><span id="yui_3_7_2_1_1359921866212_10088" style="font-family: Times New Roman;"><span class="yiv1854619536apple-converted-space" id="yui_3_7_2_1_1359921866212_10087"><span id="yui_3_7_2_1_1359921866212_10086"> [use fully qualified domain names (FQDN) ]</span></span><span class="yiv1854619536apple-style-span">(DCS), and other control systems (Wikipedia, 2011). All of these are defined as critical infrastructures and are considered national security objects. These infrastructures need to be protected for cyber incidents, which is defined by the NIST as</span><span id="yui_3_7_2_1_1359921866212_10089">: “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits (FIBS PUB, 2006).</span></span><a href="http://www.blogger.com/" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px; text-decoration: underline;"><sup><span style="font-family: Times New Roman;">[2]</span></sup></a><a href="http://www.blogger.com/" name="What_is" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px; text-decoration: underline;"></a><span class="yiv1854619536apple-converted-space"><span style="font-family: Times New Roman;"> These threads might be intentional melisouse ?</span><a href="http://www.blogger.com/" name="_GoBack" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px; text-decoration: underline;"></a><span style="font-family: Times New Roman;"> attacks or unintentional by caused by untrained or careless employees. In addition modern networking and communication technologies used to improve </span></span><span style="font-family: Times New Roman;">also create new cyber vulnerabilities. Care must be exercised in the selection, implementation, and operation of cyber-vulnerable ICS technologies.</span><br />
<span style="font-family: Times New Roman;"></span><br />
<a name='more'></a><span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;"> </span><span style="font-family: Times New Roman;"><b>What is Nuclear Plant Security and how is it defined </b></span><br />
<span style="font-family: Times New Roman;">Nuclear plant security involves the securing of critical business and operational functions performed by cyber assets affecting the bulk electric system necessitate having security management controls. To protect critical cyber assets, (these assets should be defined by each company individually), companies should design and implement an information protection, employee roles and responsibilities as well as security training. In this contentd we need to look at some of the possible threads and attacks. One such attack is the SCADA attack.</span><span class="yiv1854619536apple-style-span"><span style="font-family: Times New Roman;"> </span></span><span class="yiv1854619536apple-style-span"><span style="font-family: Times New Roman;"><b>SCADA Hacks</b></span></span><span style="font-family: Times New Roman;"><span class="yiv1854619536apple-style-span">SCADA attacks or system vulnerabilities pose significant threats to power plants. The combine traditional exploits with industrial control systems which allows attackers to weaponries malicious code, as demonstrated with Stuxnet worm in 2010 to attack the Iranian power plant which using Simetic 7 from Siemens. </span><span class="yiv1854619536apple-converted-space"> </span><span class="yiv1854619536apple-style-span">SCADA systems control everything from valves on oil and gas pipeline to energy grids, heat sensors in power plants, but they are usually not connected to the internet. “</span>SCADA<a href="http://www.blogger.com/" name="rest_of" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px; text-decoration: underline;"></a> systems run in small private networks hidden away from the rest of the world, usually perfectly secure against reasonably determined hackers. Ergo, SCADA<a href="http://www.blogger.com/" name="its_very" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px; text-decoration: underline;"></a> software and hardware by its very nature is not as secure, because it's nowhere near as well known or scrutinized and is heavily dependent on physical security to keep it safe. However, the environments that SCADA<a href="http://www.blogger.com/" name="are_usually" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px; text-decoration: underline;"></a> systems monitor are usually mission critical; their failure would have serious or even catastrophic consequences” (Wiley & Sons, 2008).</span><br />
<span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;">So what does an attacker need for a successful attack? This is a legidemid ? question to ask, if considering ways of preventing an attack. There are two ways to attack a SCADA system. One, if the system is connected to the internet for vendor updates and maintenance, finding leaks and security holes in the connection and network structure and second, the intruder attacks by collecting information about what SCADA systems are being used (software and hardware), which vendor they use and preferably the locations of the terminals and them implanting the attack. </span><br />
<span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;">A SCADA hack can be remote access hacks. Gathering information about the system over social networking and asking untrained employees on security, intruders can collect valuable information bit by bit to bring down the system. Sometimes WebPages of vendors give out a great deal of information about the clients they take on, and the system software used. With a little research and reading through press releases, hackers can find out the hardware used. Next step is social engineering over the phone or in person. With this information, remote control stations can be broken in, networks from the remote access point used and a SCADA hack made possible. </span><br />
<span style="font-family: Times New Roman;"><br /></span><span style="font-size: small;"><span style="color: windowtext; font-family: 'Times New Roman'; font-weight: normal;">I came to the conclusion that it is not important how these attacks happen, lets assume for a minute that they do happen. With this in mind, I would rather I like to emphasize on what to do and how to prevent these attacks. </span></span><br />
<span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;">One way to protect power plants from intruders is to harden the system. Here I don’t just talk about hardening the operating system, but the system as a whole. Writing and applying security policies is one of the major steps of IT-security. The second and perhaps even more important step is to implement these policies. Employee training is crucial, since the human element will always be the weakest element. It is much easier to obtain information from a friendly employee that had no conscious understanding of IT-security than trying to find a weak point in a computer system and penetrating it for the wanted information. The following are suggestions for prevention measures where mentioned in Allsopp’s book of unauthorized access.</span><br />
<span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;"><b>Prevention measures</b></span><span style="font-family: Times New Roman;">Information Protection</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Document and implement a process for the protection of information pertaining to or used by critical cyber assets. The roles of whom should write these policies and who should implement them on site should be clearly defined.</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Identification. In a security plan, all assets, mechanical equipments that are identified computer operated need to be identified.</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Classification. These equipments and systems then need to be assigned a security level and a security zone.</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Protection. A plan that drafts the constant maintenance and ongoing protection should be drafted. </span><span style="font-family: Times New Roman;"> </span><br />
<br />
<span style="font-family: Times New Roman;"><b>Roles and Responsibilities</b></span><br />
<span style="font-family: Times New Roman;">Roles and responsibilities of employees should be well defined and briefed. Responsible managers should document and direct SCADA security. This can be done with the help of the company’s employee and mechanical system architecture. The most important part is to define these roles and responsibilities on the vendor’s side as well as on the nuclear plant side. </span><br />
<span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;"><b>Physical Security</b></span><span style="font-family: Times New Roman;">One might argue that physical security has nothing to do with IT-security. I believe it has everything to do with it. If I can’t penetrate a local remote access station, how can I penetrate the system in the first place? First, I have to beat the physical security before I can get to the systems. The biggest challenge is to convince IT-security managers, that have little training or no knowledge of real life threads. The implementation of processes, tools and procedures to monitor physical access to the power plant and its critical cyber assets as well as all access points to the computer systems should be clear. Security measures could include identification:</span><br />
<span style="font-family: Times New Roman;"><br /></span><span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Bio-metric, keypad, token, or other devices that are used to control access to the cyber asset through personnel authentication. </span><span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Surveillance cameras</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Alarm systems inside the building and outside.</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Maintenance and testing of the implemented security measures as well as software and hardware used.</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Electronic media control. No unnecessary technology allowed in to the plants, like cell phones, cameras ect.(nuclear plant security, 2009)</span><span style="font-family: Times New Roman;"> </span><br />
<br />
<span style="font-family: Times New Roman;"><b>Cyber asset security</b></span><span style="font-family: Times New Roman;"> </span><br />
<span style="font-family: Times New Roman;">The main concern should be the implementation of the security measures and a regular check of the implemented methods. It is important to:</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Keeping the system updated and patched</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Account and password management</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Software integrity checks</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Employee training</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Acting according to international standers</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Being always inspection ready and up to par</span><br />
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Times New Roman;">Identifying and handling vulnerabilities</span><span style="font-family: Times New Roman;"> </span><br />
<br />
<span style="font-family: Times New Roman;"><b>Conclusion</b></span><br />
<span class="yiv1854619536apple-style-span"><span style="font-family: Times New Roman;">It is very critical that all power plant operations as well as to other ICSs are protected from cyber attacks to maintain the mission of the systems. SCADA systems are often believed to be safe, but several lab tests have shown vulnerabilities that could cause tremendous financial and physical damage to a nuclear plant. Threads come from the inside as well as outside, intentional and unintentional, but the key is to have clear defined rules, regulations and policies in place. Identifying system vulnerabilities, training employees and having an incident prevention as well as incident response plan is of great importance. </span></span><span style="font-family: Times New Roman;">Of course any advice looks good on paper, but a good security manager knows that there is no system that is complete secure or no system that can’t be penetrated. The job is to keep testing the system, finding weak points and exploit them and preferably catalog them and not to hide them or ignore them. </span><br />
<span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;"> </span><span style="color: windowtext; font-family: 'Times New Roman'; font-size: 12pt;">Bibliography [Label as “References”]</span><span style="font-family: Times New Roman;">Allsopp, W. (2009). <i>Unauthorised Access: Physical Penetration Testing For IT Security Teams.</i> New York: John Wiley & Sons.</span><span style="font-family: Times New Roman;">[only in Annotated Bibliography, not in References - In this book Wil Allsopp has created a thorough reference for those looking to advance into the area of physical penetration testing. The book thus serves as a guidebook for in-house security managers seeking to institute better policy safeguards. "- From the Foreword, by Kevin Mitnick.Most IT security teams concentrate on keeping networks and systems safe from the outside - usually with the entire focus on firewalls, server configuration, application security, intrusion detection systems, and the like. ]</span><span style="font-family: Times New Roman;"> </span><span style="font-family: Times New Roman;"> </span><span style="font-family: 'Times New Roman';">Basta, A., & Halton, W. (2008).</span><span style="font-family: 'Times New Roman';"> </span><i style="font-family: 'Times New Roman';">Computer Security and Penetrasion Testing.</i><span style="font-family: 'Times New Roman';"> </span><span style="font-family: 'Times New Roman';">Boston: Cours Technology.</span><span style="font-family: Times New Roman;">Covered many subjects concerning penetration testing and gave a general overview of network monitoring and penetration testing.</span><span style="font-family: Times New Roman;"> </span><span style="font-family: Times New Roman;">Graves, K. (2010). <i>CEH® Certified Ethical Hacker Study Guide.</i> Indianapolis: Wiley Publishing, Inc.</span><span style="font-family: Times New Roman;">This book is a study guide for a certificate as a ethical hacker. Network security, penetration testing and incident handling are some of the subjects discussed.</span><span style="font-family: Times New Roman;"> </span><span style="font-family: Times New Roman;">Hold, M., & Anthony, A. (2008). <i>Nuclear Power Plant and Security Vulnerabilities.</i> Washington: Congress<i> EH® Certified Ethical Hacker Study Guide.</i>.</span><span style="font-family: Times New Roman;">This paper discussed the overall plant security, thread models and scenarios, as well as incident emergency response. </span><span style="font-family: Times New Roman;"> </span><span style="font-family: Times New Roman;"><i>Nuclear Power Plant Security</i>. (2009, August). Retrieved july 28, 2011, from Nuclear Energ Institud: http://www.nei.org/keyissues/safetyandsecurity/factsheets/powerplantsecurity/</span><span style="font-family: Times New Roman;">General information about nuclear plant security emphasizes physical plant security measures’ and breaches. </span><span style="font-family: Times New Roman;"> </span><span style="font-family: Times New Roman;">Oriyano, S.-P., & Gregg, M. <i>Hacker Techniques, Tools, and Incident Handling.</i> (date)</span><span style="font-family: Times New Roman;">It discussed general information in the first two chapters. Then, It goes on to review the technical overview of hacking: how attacks target networks and the methodology they follow. The final section studies those methods that are most effective when dealing with hacking attacks, especially in an age of increased reliance on the Web.</span><span style="font-family: Times New Roman;"> </span><span style="font-family: Times New Roman;">Weiss, J. (2010). <i>Protecting Industrial Control Systems from Electronic Threats.</i> New York: Momentum Press, LLC.</span><span style="font-family: Times New Roman;">This book discussed the measures that can be taken to protect industrial control systems by listing and demonstrating the threads and suggesting how to handle them.</span><span style="font-family: Times New Roman;">Safari books online :</span><a href="http://search.safaribooksonline.com/book/technology-management/9780470145012" id="yui_3_7_2_1_1359921866212_10111" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px;" target="_blank"><span id="yui_3_7_2_1_1359921866212_10110" style="font-family: Times New Roman;">http://search.safaribooksonline.com/book/technology-management/9780470145012</span></a><span style="font-family: Times New Roman;"> </span><a href="http://www.msnbc.msn.com/id/42237805/ns/technology_and_science-security/t/nuclear-plant-software-called-vulnerable-attack/" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px;" target="_blank"><span style="font-family: Times New Roman;">http://www.msnbc.msn.com/id/42237805/ns/technology_and_science-security/t/nuclear-plant-software-called-vulnerable-attack/</span></a><span style="font-family: Times New Roman;"><br /></span><span style="font-family: Times New Roman;"> </span><a href="http://www.blogger.com/" name="ch02fn02" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px; text-decoration: underline;"><sup><span style="color: black; font-family: Times New Roman;">[2]</span></sup></a><span id="yui_3_7_2_1_1359921866212_10101" style="font-family: Times New Roman;"><span class="yiv1854619536apple-converted-space"> </span><span id="yui_3_7_2_1_1359921866212_10100">NIST Federal Information Processing Standards Publication (FIPS PUB) 200,<span class="yiv1854619536apple-converted-space"> </span><span class="yiv1854619536docemphasis"><i>Minimum</i></span><span class="yiv1854619536apple-converted-space"><i> </i></span></span><span class="yiv1854619536doctexthighlight"><i><span style="background-color: #ffe298;">Security</span></i></span><span class="yiv1854619536docemphasis"><i>Requirements for Federal Information and Information Systems</i></span>, March 2006.</span><a href="http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf" id="yui_3_7_2_1_1359921866212_10105" rel="nofollow" style="color: #2862c5; outline-color: invert; outline-style: none; outline-width: 0px;" target="_blank"><span id="yui_3_7_2_1_1359921866212_10104"><span id="yui_3_7_2_1_1359921866212_10103" style="font-family: Times New Roman;">http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf</span></span></a><span id="yui_3_7_2_1_1359921866212_10107" style="font-family: Times New Roman;">This is a great sample for writing security policies. It is similar to the ISO 2700 series.</span>Anonymoushttp://www.blogger.com/profile/07051803130212266840noreply@blogger.com13tag:blogger.com,1999:blog-692325654961762306.post-40747000234475377032012-11-23T14:26:00.001-08:002012-12-02T13:33:40.316-08:00How real is the risk?One question that comes up in the industry over and over again is: "How real is the cyber threat to the Nuclear industry, or the I&C systems really?". I do understand that this is a legitimate question, especially since Cyber Security was until the last couple of years, not one of the biggest nuclear concerns. Hackers and other malicious people, where most likely not interested in hacking in to a NPP or an I&C system, since these systems existed in closed networks with no connection to the internet. That was and still is a wide spread belief.<br />
<br />
The physical protection and safety measures of the facility had dealt with any unwanted intruders just fine. The systems are locked up and unreachable, so what the hype about?<br />
"We have always done it this way, we don't need anything extra fancy, a new movement called IT Security, that will take time and cost to much money. Thank you, but no thank you." <br />
<br />
There are two major problems I have with this:<br />
One:<br />
Physical protection does not protect against the insider threat and does not protect against digital intrusion.<br />
<br />
Two:<br />
SCADA and I&C systems SW is not patched and upgraded as well as commercial systems are, because of the same false sense of security that has been haunting the industry for many years.[ref 1]<br />
<br />
The question: "Do we really need cyber security," is really ignorant to me and not really excusable. In today's capitalistic economy, with our most precious assets being electricity, power grids, water and waste, gas and transportation ect..., we shall not forget that these systems and facilities are being converted to run with digital I&C or already run with digital I&C. So looking back, the question of "Do we really need Cyber Security," appears rather unnecessary and foolish to me.<br />
<br />
The treat is real. I don't want to be the one that delivers the bad news, but I&C systems do face real cyber threats. Here are a couple of reasons :<br />
<br />
<ol>
<li>The facility and systems may be connected to a remote control station for vendor updates.</li>
<li>Systems are not as regularly patched like commercial systems after commissioning. SW updates or changes happen only once in a blue moon, especially for sub systems and maintenance systems running with COTS.</li>
<li>The Utility may not have a System Security Plan.</li>
<li>The employees may be vulnerable for social engineering due to no or insufficient IT Security Training. </li>
</ol>
[Ref 1] [Ref 2] <br />
<ol>
</ol>
That being said, you can "Google" I&C hacks and find out instantly about some incidents you can read up on. The British Columbia Institute of Technology (BCIT) keeps a database of accidental and intentional cyber incidents, that affect control systems.<br />
<br />
<ul>
<li>In 2004 they had cataloged 34 incidents </li>
<li>They are at least 100 industrial cyber incidents a year (Extrapolating)</li>
</ul>
<br />
According to the Computer Security Institute and the FBI, most incidents go unreported, especially when small breaches happen.The BCIT data shows an increasing trend of incidents perpetrated by outsiders. Example:<br />
<br />
<ul>
<li>31% being responsible during the 1980-2000 period</li>
<li>70% being responsible during the 2001-2003 period </li>
</ul>
Records of actual incidents include examples of any security breach possible, except terrorist threats. [Ref 3]<br />
<br />
Here are some of I&C hack examples:<br />
<br />
<ul>
<li>SCADA raiders [Ref 4]:</li>
</ul>
This was an experiment and it showed how easy the systems of an U.S NPP could be compremised through a remote control station and some open source SW.<br />
<ul>
<li>The slammer worm [Ref 5]:</li>
</ul>
The Davis-Base Nuclear Plant (Ohio) got hit by the SQL Slammer worm in January of 2003, after the NPP was of-line for almost a year for safty repairs and upgrates. The worm infected and disabled their:<br />
<div>
<ul>
<li>Safty Parameter Display System for five houers</li>
<li>Plant Proccess Computer for six hours</li>
</ul>
Both monitoring systems had analog back up that where not affected. The worm reach the systems through a remote contractors link to the corporate network, which at some point connected to the I&C systems.<br />
<ul>
<li> Stuxnet virus:</li>
</ul>
Attacked a Siemens S7 system in 2010 in an Iranien NPP. The virus was very complex and went undetected for couple of month. There is much controversy about how the virus was engineered and reach the systems. A good place for more information is to watch my friends Ralph Langers youtube videos about the virus.<br />
<ul>
<li>Australia's Maroochy Shire Council Hack [Ref 1]:</li>
</ul>
The Council's sewer pumping station was attacked by an insider, as supervisor for contractors installing a SCADA system for a sewer system with 150 pumping stations. </div>
<div>
The damage was that alarms were turned off, loss of communication, pumps where not activating at appropriated times and release of raw sewage in to the drinking water. Mr. Vitek Boden hacked in to the facility from his car, using a data radio that he stole from his former employer and one of the local processors he had also stolen. </div>
<div>
These few examples should show that I&C hacks and treats are real. I am sure current data is even more overwhelming.</div>
<br />
<div>
<br />
Fact is, to realize that NPP's digital assets are becoming more interesting targets for attackers is the right way of thinking. So stay ahead of the game, evaluate and implement IT Security, Utility wide and system specific.<br />
<br />
<br />
Manolya Rowe<br />
<br />
References:<br />
<br />
<ol>
<li>http://www.sans.org/reading_room/whitepapers/warfare/security-critical-infrastructure-scada-systems_1644</li>
<li>http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf</li>
<li>http://www.bcit.ca/</li>
<li>Wil Allsopp, 2009, Unauthorized access, John Wiley and Son publishing.</li>
<li>http://de.wikipedia.org/wiki/SQL_Slammer </li>
</ol>
<br />
<span style="background-color: #f9f9f9; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;"><br /></span>
<span style="background-color: #f9f9f9; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;">Privacy</span><br />
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
Blog Comments</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
1. Comments deemed to be spam or questionable spam<br />
2. Comments including profanity<br />
3. Comments containing language or concepts that could be deemed offensive<br />
4. Comments that attack a person individually</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
Terms and Conditions</div>
<div style="border: 0px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline;">
<span style="color: #666666; font-family: Lucida Sans Unicode, Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif;"><span style="font-size: 12px; line-height: 20px; word-spacing: 1px;">All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or </span></span><span style="background-color: white;"><span style="color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;">individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country </span><span style="color: #555555; font-family: Georgia, Times, Times New Roman, serif;"><span style="font-size: 14px;">. </span></span></span><span style="color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;">Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. </span><span style="color: #666666; font-family: Lucida Sans Unicode, Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif;"><span style="font-size: 12px; line-height: 20px; word-spacing: 1px;">The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. T</span></span><span style="color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;">his policy is subject to change at anytime.</span></div>
</div>
Anonymoushttp://www.blogger.com/profile/07051803130212266840noreply@blogger.com2tag:blogger.com,1999:blog-692325654961762306.post-4723332368519488322012-11-22T14:11:00.000-08:002012-11-30T23:46:02.212-08:00Welcome,<br />
<br />
I just want to take the opportunity to say thank you for coming around my blog. I am an IT Security professional, with a passion for nuclear digital systems security. In my blogs, I want to go over how to implement the right security program for individual systems, system architectures and entire Nuclear Power Plants (NPP). Buzz words like; risk ownership, level of security, residual risk and security analysis should steer up some good conversations and discussions.<br />
<br />
IT Security in it self is a very new field, and it is even newer in the nuclear industry. There are many unanswered questions. What is the best IT Security program for my facility, how much protection do I need, what do I need to do, to get my security program approved by the authorities? To me, these questions are exciting and fun, it lays down the groundwork for research and I have to say, I love research. Nevertheless, IT Security or Cyber Security at Nuclear Power Plants are serious, sensitive topics, that are not discussed openly in public.<br />
The key to a better future is knowledge, transparency and building trust. That is why I decided to start this blog.<br />
<br />
Hope you will enjoy.<br />
<br />
Sincerely<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoRwAothDeV-zk5HQ7JHyxQ6FZrxJY5YqUnk6K6ixgx_t2H2UScrgTUlqrh8fambXkVhb2yi4XV3SG2O0Ms1VrLYQGVJBTcuDMalF-IIkjmamI6WNv2nZzc4M-DRKGDnl-v7KbrJlQ4qbi/s1600/CyberSecurity2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoRwAothDeV-zk5HQ7JHyxQ6FZrxJY5YqUnk6K6ixgx_t2H2UScrgTUlqrh8fambXkVhb2yi4XV3SG2O0Ms1VrLYQGVJBTcuDMalF-IIkjmamI6WNv2nZzc4M-DRKGDnl-v7KbrJlQ4qbi/s640/CyberSecurity2.gif" width="640" /></a></div>
<br />
Manolya Rowe <br />
<br />
<span style="background-color: #f9f9f9; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;">Privacy</span><br />
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
Blog Comments</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
1. Comments deemed to be spam or questionable spam<br style="border: 0px; letter-spacing: 0.1px; margin: 0px; padding: 0px; vertical-align: baseline;" />2. Comments including profanity<br style="border: 0px; letter-spacing: 0.1px; margin: 0px; padding: 0px; vertical-align: baseline;" />3. Comments containing language or concepts that could be deemed offensive<br style="border: 0px; letter-spacing: 0.1px; margin: 0px; padding: 0px; vertical-align: baseline;" />4. Comments that attack a person individually</div>
<div style="border: 0px; color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline; word-spacing: 1px;">
Terms and Conditions</div>
<div style="border: 0px; margin-bottom: 20px; padding: 0px 0px 0px 2px; vertical-align: baseline;">
<span style="color: #666666; font-family: Lucida Sans Unicode, Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif;"><span style="font-size: 12px; line-height: 20px; word-spacing: 1px;">All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or </span></span><span style="background-color: white;"><span style="color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;">individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country </span><span style="color: #555555; font-family: Georgia, Times, Times New Roman, serif;"><span style="font-size: 14px;">. </span></span></span><span style="color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;">Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. </span><span style="color: #666666; font-family: Lucida Sans Unicode, Lucida Grande, Trebuchet MS, Helvetica, Arial, sans-serif;"><span style="font-size: 12px; line-height: 20px; word-spacing: 1px;">The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. T</span></span><span style="color: #666666; font-family: 'Lucida Sans Unicode', 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 20px; word-spacing: 1px;">his policy is subject to change at anytime.</span></div>
Anonymoushttp://www.blogger.com/profile/07051803130212266840noreply@blogger.com22