How real is the risk?

One question that comes up in the industry over and over again is: "How real is the cyber threat to the Nuclear industry, or the I&C systems really?". I do understand that this is a legitimate question, especially since Cyber Security was until the last couple of years, not one of the biggest nuclear concerns. Hackers and other malicious people, where most likely not interested in hacking in to a NPP or an I&C system, since these systems existed in closed networks with no connection to the internet. That was and still is a wide spread belief.

The physical protection and safety measures of the facility had dealt with any unwanted intruders just fine. The systems are locked up and unreachable, so what the hype about?
"We have always done it this way, we don't need anything extra fancy, a new movement called IT Security, that will take time and cost to much money. Thank you, but no thank you."

There are two major problems I have with this:
One:
Physical protection does not protect against the insider threat and does not protect against digital intrusion.

Two:
SCADA and I&C systems SW is not patched and upgraded as well as commercial systems are, because of the same false sense of security that has been haunting the industry for many years.[ref 1]

The question: "Do we really need cyber security,"  is really ignorant to me and not really excusable. In today's capitalistic economy, with our most precious assets being electricity,  power grids, water and waste, gas and transportation ect..., we shall not forget that these systems and facilities are being converted to run with digital I&C or already run with digital I&C. So looking back, the question of "Do we really need Cyber  Security," appears rather unnecessary and foolish to me.

The treat is real. I don't want to be the one that delivers the bad news, but I&C systems do face real cyber threats. Here are a couple of reasons :

1. The facility and systems may be connected to a remote control station for vendor updates.
2. Systems are not as regularly patched like commercial systems after commissioning. SW updates or changes happen only once in a blue moon, especially for sub systems and maintenance systems running with COTS.
3. The Utility may not have a System Security Plan.
4. The employees may be vulnerable for social engineering due to no or insufficient IT Security Training. 

[Ref 1] [Ref 2]    

That being said, you can "Google" I&C hacks and find out instantly about some incidents you can read up on. The British Columbia Institute of Technology (BCIT) keeps a database of accidental and intentional cyber incidents, that affect control systems.

• In 2004 they had cataloged 34 incidents 
• They are at least 100 industrial cyber incidents a year (Extrapolating)

According to the Computer Security Institute and the FBI, most incidents go unreported, especially when small breaches happen.The BCIT data shows an increasing trend of incidents perpetrated by outsiders. Example:

• 31% being responsible during the 1980-2000 period
• 70% being responsible during the 2001-2003 period 

Records of actual incidents include examples of any security breach possible, except terrorist threats. [Ref 3]

Here are some of I&C hack examples:

• SCADA raiders [Ref 4]:

This was an experiment and it showed how easy the systems of an U.S NPP could be compremised through a remote control station and some open source SW.

• The slammer worm [Ref 5]:

The Davis-Base Nuclear Plant (Ohio) got hit by the SQL Slammer worm in January of 2003, after the NPP was of-line for almost a year for safty repairs and upgrates. The worm infected and disabled their:

• Safty Parameter Display System for five houers
• Plant Proccess Computer for six hours

Both monitoring systems had analog back up that where not affected. The worm reach the systems through a remote contractors link to the corporate network, which at some point connected to the I&C systems.

•  Stuxnet virus:

Attacked a Siemens S7 system in 2010 in an Iranien NPP. The virus was very complex and went undetected  for couple of month. There is much controversy about how the virus was engineered and reach the systems. A good place for more information is to watch my friends Ralph Langers youtube videos about the virus.

• Australia's Maroochy Shire Council Hack [Ref 1]:

The Council's sewer pumping station was attacked by an insider, as supervisor for contractors installing a SCADA system for a sewer system with 150 pumping stations. 

The damage was that alarms were turned off, loss of communication, pumps where not activating at appropriated times and release of raw sewage in to the drinking water. Mr. Vitek Boden hacked in to the facility from his car, using a data radio that he stole from his former employer and one of the local processors he had also stolen. 

These few examples should show that I&C hacks and treats are real. I am sure current data is even more overwhelming.

Fact is, to realize that NPP's digital assets are becoming more interesting targets for attackers is the right way of thinking. So stay ahead of the game, evaluate and implement IT Security, Utility wide and system specific.


Manolya Rowe

References:

1. http://www.sans.org/reading_room/whitepapers/warfare/security-critical-infrastructure-scada-systems_1644
2. http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
3. http://www.bcit.ca/
4. Wil Allsopp, 2009, Unauthorized access, John Wiley and Son publishing.
5. http://de.wikipedia.org/wiki/SQL_Slammer  

Privacy

The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.

Blog Comments

The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;

1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually

Terms and Conditions

All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country . Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute  as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. This policy is subject to change at anytime.

Welcome,

I just want to take the opportunity to say thank you for coming around my blog. I am an IT Security professional, with a passion for nuclear digital systems security. In my blogs, I want to go over how to implement the right security program for individual systems, system architectures and entire Nuclear Power Plants (NPP). Buzz words like; risk ownership, level of security, residual risk and security analysis should steer up some good conversations and discussions.

IT Security in it self is a very new field, and it is even newer in the nuclear industry. There are many unanswered questions. What is the best IT Security program for my facility, how much protection do I need, what do I need to do, to get my security program approved by the authorities? To me, these questions are exciting and fun, it lays down the groundwork for research and I have to say, I love research. Nevertheless, IT Security or Cyber Security at Nuclear Power Plants are serious, sensitive topics, that are not discussed openly in public.
The key to a better future is knowledge, transparency and building trust. That is why I decided to start this blog.

Hope you will enjoy.

Sincerely

Manolya Rowe  

Privacy

The owner of this blog does not share personal information with third-parties nor does the owner store information that is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.

Blog Comments

The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;

1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually

Terms and Conditions

All content provided on this blog is for informational purposes only. All content provided on this blog is the personal opinion of the blog owner and does not represent the opinion of any company, employer or government official. The content on this blog is strictly the opinion of the blogger not intended to malign any religion, state, country, industry, company, employer, religion, ethic group, club, organisation, or individual. The owner of this blog is not responsible or can be made liable for comments made by readers or anybody or anyone visiting his blog, nor the laws the commentor brakes in his country or the bloggers country . Due to the nature of technology and evolution of information, the information represented in this blog, although it is strictly the opinion of the blog owner, may not be accurate tomorrow or in the future. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. The owner of this blog does not want to cause any harm and is not liable for any harm subject from personal interpretation of facts by any blog visitor or reader, again, the information presented in this blog is the personal opinion of the blog owner, it is not to be taken absolute  as advice or counsel. The blog owner is not responsible or liable of any translation or interpretation. The blog owner can not be made responsible or liable for any financial claims. This policy is subject to change at anytime.