In an often cited incident, in January 2003 the Davis Besse nuclear power plant in Ohio was affected by the “Slammer” computer worm for five hours. Although the plant was shut down at the time, and a redundant system safety system was not affected, the incident raised concerns across the nuclear industry about the arcane field of computer cyber security.
Cyber attacks are a lot more than just Halloween pranks. They are carried out by criminals seeking to blackmail businesses or to steal intellectual property. In case of nuclear power plants, the risks of compromised digital control systems by a cyber attack are all too real.
The issue is of critical importance for new nuclear plants that will be built in the U.S. and globally. The renewed emphasis is due to the fact that control rooms will use digital systems to operate the plants. The fact that digital instrument and control systems are now state-of-the-art makes them targets by hackers from our nation’s enemies.
The Wall Street Journal reported in April 2009 that “cyberspies have penetrated the U.S. electrical grid” and left behind software to take control of it. In May 2009 the Wall Street Journal reported that the nation’s power plants are being targeted by “well organized” efforts to break into control centers for the nation’s power plants and electric grids.
In both reports defense officials cite Russia and China as the source of the cyber stalking incidents. Diplomats from both countries denied the charges in statements to the WSJ.
Government response to cyber threats
What is the government doing about the threats? The U.S. Nuclear Regulatory Commission to pushing the nation’s 104 nuclear power plants to complete cyber security plans which will be amendments to the utility licenses to operate the reactors. The Department of Homeland Security is reportedly “quietly dispatching teams” to test power plant cyber security.
The Wall Street Journal reported last month that the federal government has launched a new program called “perfect citizen” to detect cyber attacks on power plant and their grids. The surveillance will be carried out by the National Security Agency. The WSJ reported that defense contractor Raytheon Corp. won a $100 million contract to set up the initial phase of the system.
The computer industry isn’t impressed with this response pointing out the reason digital systems that control the nation’s electricity grid are vulnerable is because they are old. Instead of wrapping the systems in the digital equivalent of idiot mittens experts says, the federal government should be pushing nuclear utilities to develop the most secure systems possible and helping them with technology from government labs.
Making digital control systems resilient
Part of that is already happening. This week (August 10-12) the Idaho National Laboratory will host a major conference (flyer) on “resilient control systems.” It turns out that keeping computers safe at a nuclear power plant takes a lot more than just putting up a firewall and calling it good. Here’s what the lab is talking about.
- Human Systems – Human reliability analysis that provides information on ergonomics, workload, complexity, training and experience. The analysis may be used to characterize and quantify human actions and decisions.
- Data Fusion – Various data types associated with proper operation or performance of critical infrastructure, including cyber and physical security, process efficiency and stability, and process compliancy.
- Cyber Awareness – Because of the human element of a malicious actor, traditional methods of achieving reliability cannot be used to characterize cyber awareness and resilience. Novel techniques in characterizing wellness and randomizing system response to the adversary are needed.
- Complex Networked Control Systems – Understanding how control systems become more decentralized and their ability to characterize interactions, performance and security while ensuring resilience.
The NRC’s has published stringent requirements for the protection of critical digital assets (CDAs) or as the NRC calls then “digital computers and communications networks.” The Nuclear Energy Institute is working with its members and the NRC to develop technical, management, and operational controls.
Technical controls are things that can be done to actually secure CDAs. Management controls are policies to insure the cyber security work will be done. Operational controls are what actually happens at the plant.
The cyber security plan required by the NRC must do four things.
- ensure the capability for timely detection and response to cyber attacks
- mitigate the consequences of such attacks
- correct exploited vulnerabilities
- restore the affected systems, networks and equipment.
What's in a cyber security plan?
When utilities develop their cyber security plans they start with an assessment. The outcome is a “gap analysis” that looks at the existing digital assets of the reactor and the non-safety or business systems of the utility. The gaps are reviewed and the utility’s IT Department develops a plan to meet the NRC’s requirements. Implementation measures can also include changes to physical security of the plant, training personnel to detect and respond to cyber attacks including incident reporting.
A key challenge for utilities is developing cyber security measures for computer systems that were developed before the Internet age. Simply isolating them from other plant system isn’t good enough. On one hand, it is fearsomely expensive to replace the systems, and on the other, they can’t be operated outside the new security rules. One approach is to develop a second layer of security, like an envelope or wrapper, which has up-to-date measures, and then control access to the legacy systems through the wrapper. It’s a lot cheaper than “rip and replace.”
Human social behavior is a target
The human side of cyber security is the most complex. For example, many businesses ban access to social media sites like Facebook because they are breeding grounds for malware mayhem. Computer malware can be found lurking on the Internet which takes up residence on a personal computer capturing keystrokes to collect login IDs, passwords, credit cards numbers, and all manner of sensitive information.
According to Kiplinger Magazine for August 3, "nearly 30% of corporate computer users admitted to checking social network sites while at work last year, up from 15% the year before.”
“Essentially, users are volunteering to be infected,” says David Perry, global director of education at Trend Micro Inc., a provider of Internet-security software."
Mobile devices are part of the package
Mobile devices are also at risk. The next time you fire up your mobile device you might ask the question who are you really talking to?
Utilities increasingly rely on mobile platforms to manage their workforce having replaced aging pager systems. The phones are now just as vulnerable to outside infection and some malware can target the phones just because they are on. Worse, NRC’s IT staff have said it’s has been proven that cell phones can be hacked and used against the owner even when they are off.
The BBC reported that in July 2009 the United Arab Emirates (UAE), a country that is planning to build four new nuclear reactors, an update for Blackberry users turned out to be spyware. The update was prompted by a text message from UAE telecom firm Etisalat, saying it would improve performance.
Blackberry maker Research in Motion (NASDAQ:RIMM) said in a statement that "Etisalat appears to have distributed a telecommunications surveillance application.”
“Independent sources have concluded that it is possible that the installed software could then enable unauthorized access to private or confidential information stored on the user's smartphone."
The concern over the spyware came to light when users started reporting problems with their phones. Etisalat is a major telecommunications firm based in the UAE, with 145,000 Blackberry users on its books according to the BBC. The spyware’s victims reportedly included the phones of foreign nationals hired by the UAE to mange the process of acquiring and building the reactors as well as ensuring the safety and security for the plants.
More recently, the UAE has sought to ban the use of Blackberry phones calling them a security threat.
It is a scary world in the new world of digital control systems. The nuclear industry is responding to the threats, but there is more work to do.
# # #http://www.coolhandnuke.com/Cool-Hand-Blog/articleType/ArticleView/articleId/45/Securing-critical-digital-assets-at-nuclear-power-plants.aspx