Dear Readers
It has been a while since I have touched my Blog. If you have been following me, you might have asked yourself:”What happened, why did she stop suddenly”?
This is a good question and a valid one. I had many readers that appreciated the honest information. But, I also had some very troubling feedback. I was told to stop my blog or I was going to lose my job. Let’s call them “people from the industry” had issues with the information I provided due to paranoia. Lawyers got involved and the hustle and the headaches just became too much at the time.
So I decided to let it rest.
People came and went, lawyers came and went, jobs changed but my passion for nuclear cyber security never went away. Blurry water tuned clear, the dust settled and distress about the personal threats gone with the wind. In clear: I don’t give a $§/% anymore :-)!
I truly believe that open communication, education and sharing of knowledge is the basis to strengthen cyber security in the industry. Therefore, I will start up my writings again and try to create a platform for questions, discussion and information for anybody who cares for the subject.
Please help me with your comments and questions to pick up from where I left. I like to hear what questions you have about nuclear cyber security and what discussions you like to see get started.
I want to say thank you to all my readers,that kept continuing to send me supportive messages and keep checking for new posts.
Nuclear Cyber Security
Mittwoch, 10. August 2016
Sonntag, 3. Februar 2013
Japan and Remote Control Stations, how Secure will they be to Cyber Attacks?
An fellow blogger had asked me about my opinion about Japan and Security issues that could be a threat arising from the newly planned remote control stations. Because I think that this is a very interesting question, I would like to post my answer her, perhaps this is a good subject for discussion and and research.
"This is a very important issue. In my projects where I am responsible for the cyber security, I do not allow remote control rooms outside the plant. This should be a requirement for all safety, non safety and operational I&C systems (all systems within the cyber security Zone model) to not have a network or internet connection to the outside). The reason is, that I see a lot of problems with a remote control or maintenance station unless, it fulfills very specific cyber security requirements. Let me give you a scenario. Usually, remote control stations do not have the same physical security measures’ as the plant has. They are not occupied all the time, so it is very easy to gain access. I do not know what the Japanese plans are, but let me include a picture of a remote control station from the US .
( I can not find that picture to save my life, but it shows a regular family home in the suburbs. This is supposed to disguised the fact, that this was a remote controlled substation)
That being said, it is the weakest and easiest access point for intruders or malicious indented people. Even though the Japanese are perhaps planning on using wired connections, they want to have the remote station to be able to control the systems, meaning one way communication via hard wire to the systems, meaning you can control the plant and the I&C systems from outside the plant. And what about hardening? Are they going to close non needed ports and vulnerabilities that could be exploited from a remote station? What if they do not use a hardwired connection, can you come and connect a laptop to the hub and gain access, do a traffic analysis and see packages and assign yourself an IP address and gain access to the network and see other remote stations on the grid? As you see, there are too many questions. I would definitely have strict requirements such as:
- Physical protection and security at all times
- Occupation of the station with personal at all times
- Risk analysis
- Cyber security requirements (I am unclear on what regulations they would use as a basis)
- Us hardened systems and perhaps a data diode if necessary for one way data exchange (monitoring purposes)
- Design safety I&C in that manner that you can send via hard wire commands to ignore all other system interactions and commands and execute the emergency action.
- Or only allow a connections to the hard wired emergency back up systems
Manolya Rowe
Introduction to Nuclear Cyber Security
Introduction
The development of nuclear energy accompanied the invention of the computers, which brought about a development that we would call the Third Industrial Revolutio. This development generated a complex of economic, political, social effects that is in some cases like in the case of power plant safety, considered national security. In this content, power plants belong to the ICS category. Industrial control system (ICS) is a vague term to describe several types of control systems used in industrial production such as in electric, gas or water plants, as well as supervisory control and data acquisition (SCADA) systems, distributed control systems [use fully qualified domain names (FQDN) ](DCS), and other control systems (Wikipedia, 2011). All of these are defined as critical infrastructures and are considered national security objects. These infrastructures need to be protected for cyber incidents, which is defined by the NIST as: “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits (FIBS PUB, 2006).[2] These threads might be intentional melisouse ? attacks or unintentional by caused by untrained or careless employees. In addition modern networking and communication technologies used to improve also create new cyber vulnerabilities. Care must be exercised in the selection, implementation, and operation of cyber-vulnerable ICS technologies.
Freitag, 23. November 2012
How real is the risk?
One question that comes up in the industry over and over again is: "How real is the cyber threat to the Nuclear industry, or the I&C systems really?". I do understand that this is a legitimate question, especially since Cyber Security was until the last couple of years, not one of the biggest nuclear concerns. Hackers and other malicious people, where most likely not interested in hacking in to a NPP or an I&C system, since these systems existed in closed networks with no connection to the internet. That was and still is a wide spread belief.
The physical protection and safety measures of the facility had dealt with any unwanted intruders just fine. The systems are locked up and unreachable, so what the hype about?
"We have always done it this way, we don't need anything extra fancy, a new movement called IT Security, that will take time and cost to much money. Thank you, but no thank you."
There are two major problems I have with this:
One:
Physical protection does not protect against the insider threat and does not protect against digital intrusion.
Two:
SCADA and I&C systems SW is not patched and upgraded as well as commercial systems are, because of the same false sense of security that has been haunting the industry for many years.[ref 1]
The question: "Do we really need cyber security," is really ignorant to me and not really excusable. In today's capitalistic economy, with our most precious assets being electricity, power grids, water and waste, gas and transportation ect..., we shall not forget that these systems and facilities are being converted to run with digital I&C or already run with digital I&C. So looking back, the question of "Do we really need Cyber Security," appears rather unnecessary and foolish to me.
The treat is real. I don't want to be the one that delivers the bad news, but I&C systems do face real cyber threats. Here are a couple of reasons :
According to the Computer Security Institute and the FBI, most incidents go unreported, especially when small breaches happen.The BCIT data shows an increasing trend of incidents perpetrated by outsiders. Example:
Here are some of I&C hack examples:
Fact is, to realize that NPP's digital assets are becoming more interesting targets for attackers is the right way of thinking. So stay ahead of the game, evaluate and implement IT Security, Utility wide and system specific.
Manolya Rowe
References:
Privacy
The physical protection and safety measures of the facility had dealt with any unwanted intruders just fine. The systems are locked up and unreachable, so what the hype about?
"We have always done it this way, we don't need anything extra fancy, a new movement called IT Security, that will take time and cost to much money. Thank you, but no thank you."
There are two major problems I have with this:
One:
Physical protection does not protect against the insider threat and does not protect against digital intrusion.
Two:
SCADA and I&C systems SW is not patched and upgraded as well as commercial systems are, because of the same false sense of security that has been haunting the industry for many years.[ref 1]
The question: "Do we really need cyber security," is really ignorant to me and not really excusable. In today's capitalistic economy, with our most precious assets being electricity, power grids, water and waste, gas and transportation ect..., we shall not forget that these systems and facilities are being converted to run with digital I&C or already run with digital I&C. So looking back, the question of "Do we really need Cyber Security," appears rather unnecessary and foolish to me.
The treat is real. I don't want to be the one that delivers the bad news, but I&C systems do face real cyber threats. Here are a couple of reasons :
- The facility and systems may be connected to a remote control station for vendor updates.
- Systems are not as regularly patched like commercial systems after commissioning. SW updates or changes happen only once in a blue moon, especially for sub systems and maintenance systems running with COTS.
- The Utility may not have a System Security Plan.
- The employees may be vulnerable for social engineering due to no or insufficient IT Security Training.
- In 2004 they had cataloged 34 incidents
- They are at least 100 industrial cyber incidents a year (Extrapolating)
According to the Computer Security Institute and the FBI, most incidents go unreported, especially when small breaches happen.The BCIT data shows an increasing trend of incidents perpetrated by outsiders. Example:
- 31% being responsible during the 1980-2000 period
- 70% being responsible during the 2001-2003 period
Here are some of I&C hack examples:
- SCADA raiders [Ref 4]:
- The slammer worm [Ref 5]:
- Safty Parameter Display System for five houers
- Plant Proccess Computer for six hours
- Stuxnet virus:
- Australia's Maroochy Shire Council Hack [Ref 1]:
The damage was that alarms were turned off, loss of communication, pumps where not activating at appropriated times and release of raw sewage in to the drinking water. Mr. Vitek Boden hacked in to the facility from his car, using a data radio that he stole from his former employer and one of the local processors he had also stolen.
These few examples should show that I&C hacks and treats are real. I am sure current data is even more overwhelming.
Fact is, to realize that NPP's digital assets are becoming more interesting targets for attackers is the right way of thinking. So stay ahead of the game, evaluate and implement IT Security, Utility wide and system specific.
Manolya Rowe
References:
- http://www.sans.org/reading_room/whitepapers/warfare/security-critical-infrastructure-scada-systems_1644
- http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
- http://www.bcit.ca/
- Wil Allsopp, 2009, Unauthorized access, John Wiley and Son publishing.
- http://de.wikipedia.org/wiki/SQL_Slammer
Privacy
The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.
Blog Comments
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;
1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
Terms and Conditions
All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country . Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. This policy is subject to change at anytime.
Donnerstag, 22. November 2012
Welcome,
I just want to take the opportunity to say thank you for coming around my blog. I am an IT Security professional, with a passion for nuclear digital systems security. In my blogs, I want to go over how to implement the right security program for individual systems, system architectures and entire Nuclear Power Plants (NPP). Buzz words like; risk ownership, level of security, residual risk and security analysis should steer up some good conversations and discussions.
IT Security in it self is a very new field, and it is even newer in the nuclear industry. There are many unanswered questions. What is the best IT Security program for my facility, how much protection do I need, what do I need to do, to get my security program approved by the authorities? To me, these questions are exciting and fun, it lays down the groundwork for research and I have to say, I love research. Nevertheless, IT Security or Cyber Security at Nuclear Power Plants are serious, sensitive topics, that are not discussed openly in public.
The key to a better future is knowledge, transparency and building trust. That is why I decided to start this blog.
Hope you will enjoy.
Sincerely
Manolya Rowe
Privacy
I just want to take the opportunity to say thank you for coming around my blog. I am an IT Security professional, with a passion for nuclear digital systems security. In my blogs, I want to go over how to implement the right security program for individual systems, system architectures and entire Nuclear Power Plants (NPP). Buzz words like; risk ownership, level of security, residual risk and security analysis should steer up some good conversations and discussions.
IT Security in it self is a very new field, and it is even newer in the nuclear industry. There are many unanswered questions. What is the best IT Security program for my facility, how much protection do I need, what do I need to do, to get my security program approved by the authorities? To me, these questions are exciting and fun, it lays down the groundwork for research and I have to say, I love research. Nevertheless, IT Security or Cyber Security at Nuclear Power Plants are serious, sensitive topics, that are not discussed openly in public.
The key to a better future is knowledge, transparency and building trust. That is why I decided to start this blog.
Hope you will enjoy.
Sincerely
Manolya Rowe
Privacy
The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.
Blog Comments
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;
1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
Terms and Conditions
All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country . Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. This policy is subject to change at anytime.
Abonnieren
Posts (Atom)