Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Power Security

Governments Don't Do Enough to Protect Nuclear Facilities From Cyberattacks (nytimes.com) 85

mdsolar writes: Twenty nations with significant atomic stockpiles or nuclear power plants have no government regulations requiring minimal protection of those facilities against cyberattacks, according to a study by the Nuclear Threat Initiative. The findings build on growing concerns that a cyberattack could be the easiest and most effective way to take over a nuclear power plant and sabotage it, or to disable defenses that are used to protect nuclear material from theft. The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.
This discussion has been archived. No new comments can be posted.

Governments Don't Do Enough to Protect Nuclear Facilities From Cyberattacks

Comments Filter:
  • Surely anybody responsible for security at a nuclear facility hasn't considered every possible way someone could cause a breach?

    • No, they haven't, that's why the government needs to advise them. They're doing deeply idiotic things like connecting industrial control equipment with joke security directly to the Internet.

      • [citation needed]

        It's easy enough for someone on the internet to say they did it, but let's see an actual case of such stupidity. For the most part the reported cases of things on the internet have been minor utilities, not the OMG Nuclear.

        • It looks like nobody has connected a PLC *directly* to the Internet in a nuclear plant yet, but they've connected control networks (those containing the industrial control systems and the computers that manage them) to non-control-related office networks resulting a number of incidents, both malicious and unintentional. See PDF page 14:

          https://www.chathamhouse.org/s... [chathamhouse.org]

          This is also worth a read:

          http://large.stanford.edu/cour... [stanford.edu]

          • There's a very good take home message on page 14. A lot of these incidents are caused BY regulation. I've first hand experience in the over regulation of the nuclear industry resulting in a project that installed a new safety system which had already been life cycled by the vendor complete with a Windows NT4 machine ... after Windows 7 was released. We actually upgraded and removed an identical vintage system from a refinery which determined that it was a "risk" running something so outdated and so close to

    • Lets summarize this article in one sentence from the article

      Because of the secrecy surrounding military nuclear facilities, it was impossible to determine the levels of cyberprotection used to protect nuclear weapons in the nine countries known to possess them.

    • by hey! ( 33014 )

      Surely anybody responsible for security at a nuclear facility hasn't considered every possible way someone could cause a breach?

      You don't seem to grasp the way most people prioritize concerns, which amounts to this: if (a) nothing has happened so far and (b) nobody around you seems to be concerned, then the risk in question isn't a priority. And if you think that things would have to be different in the management of nuclear plants, well look at how TEPCO, a company running coastal nuclear plants in the most seismically active region in the world, responded to a drastic upward revision by scientists of the probability of a 10+m tsu

    • security will be more "fun" with drones now taking to the skies.
  • by Eloking ( 877834 ) on Friday January 15, 2016 @11:07AM (#51307573)

    Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.

    • Re: (Score:2, Interesting)

      Exactly my thought!
      Where are the mod points when you need them?!

    • They probably already are. The entire article is about the fact that the government doesn't have regulations about it.

      • by rtb61 ( 674572 )

        What is interesting about this review of nuclear energy rules, is it signals a pretty major resurgence of nuclear energy generations, with safer designs slowly coming to fruition. This in conjunction with renewables (renewables in the burbs and nuclear as backup and in commercial, industrial and high density residential). You simply can not do it all with renewables because they a hugely subject to environmental chaos (weather, earthquakes et al) and you don't want you power down for months whilst you atte

    • by Anonymous Coward

      We have three systems- Computer Monitoring, (SCADA), PLC Control, and Dual Hard-Wired Control. All independent.
      None of them were or are connected to the Internet. When the Hard Wiring went in, there _was_ no Internet.
      "Government Regulations" are irrelevant here, anymore than Government Regulations are needed to prevent one from sticking one's dick into a light socket.

      If a "Facility" is connected to the Internet, it is a deliberate act. And yes, since 1987, we have had a Honey Pot.

    • Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.

      It isn't connected to the internet . These authors do a good job of confusing the reader. They do not distinguish between systems that control actual nuclear related equipment, communications and administrative networks, facility controls (hvac), etc. They also dont distingush between facilities that do nuclear research in a lab with little risk to start with vs those that process high grade materials vs those that just store materials. And they try to make some jump to conclusions that power plants are in

      • by MrKaos ( 858439 )

        It isn't connected to the internet . These authors do a good job of confusing the reader.

        From the article: Our purpose is to show how all countries can improve the security of dangerous nuclear materials - NTI Co-Chairman and former U.S. Senator Sam Nunn.

        They do not distinguish between systems that control actual nuclear related equipment, communications and administrative networks, facility controls (hvac), etc. They also dont distingush between facilities that do nuclear research in a lab with little risk to start with vs those that process high grade materials vs those that just store materials.

        From the methodology used to produce the Threat Index: The NTI Index differentiates among three sets of countries: (a) countries with one kilogram or more of weapons-usable nuclear materials (countries with materials), (b) countries with less than one kilogram of or no weapons-usable nuclear materials (countries without materials), and (c) co

    • by Boglin ( 517490 ) on Friday January 15, 2016 @11:34AM (#51307843) Journal
      Many moons ago, I had a friend who was a nuclear engineer at a power plant. His plant didn't have a separate computer network for the reactor simply because computers weren't allow to connect to the reactor. Anything piece of hardware with enough complexity to achieve Turing completeness was forbidden. When he wanted to add a monitoring circuit somewhere that included more than some piddly number of transistors, he had to document ever possible state that the system could enter.
      • Many moons ago, I had a friend who was a nuclear engineer at a power plant. His plant didn't have a separate computer network for the reactor simply because computers weren't allow to connect to the reactor. Anything piece of hardware with enough complexity to achieve Turing completeness was forbidden. When he wanted to add a monitoring circuit somewhere that included more than some piddly number of transistors, he had to document ever possible state that the system could enter.

        That has been common practice for years. You can use one way 'data diodes' to pass information from control systems to monintoring networks, but even those monitoring networks are segregated from the corporate business network, which in turn has the only internet connections.

    • >> why does the network that control of a nuclear facility need to be connected to the internet?

      So the operators can watch NetFlix from the control room. D-uh!

    • by GuB-42 ( 2483988 )

      Stuxnet broke through airgaps via infected USB keys.
      When you are against the NSA or similar entities, disconnecting from the internet is not enough to protect you from cyberattacks.

    • Only needs doughnuts, no interweb for him.
    • There are other ways to do things as well. What ever happened to having two computers, one on each network, and them connected via a serial cable with one of the wires snipped (Rx or Tx depending on point of view), so the receiving computer can only pull data from the serial device, stuff it in a log? This is a basic data diode, but I trust two 486 machines doing this far more than I trust some high-zoot vendor's offering, although EAL7+ is a pretty tough rating to get.

      Say one needs to log data and export

    • by mea2214 ( 935585 )
      That's how nuclear facilities were connected in the TV show "24."
    • Fortunately the reactors here in Belgium are so many decades old that there's no way they can be connected to the internet. Safe as can be!

    • by AHuxley ( 892839 )
      Many of the US sites are old, really old. So a 1980's computer like network is used for logging to keep track of wider electrical grid and site conditions in real time.
      If the local US grid fails in part or needs more power the nuclear plant can respond.
      Other networks are used to recall the shift of workers to support the existing day/night shift if an event takes place. In the past it was with phones, pagers. Computer networking is hoped to help offer another way to help recall distant team members in t
    • They are not.
      Bear in mind that the vast majority of reactors are pretty old; they were built before the Internet existed in its current state.
      So the original monitoring and control systems were, and sometimes still are, beautifully steampunk, clonky, electromechanical beasts.
      Ridiculously over-engineered and redundant, they have in many cases been worked far beyond their design lives.
      Predicable problems being that spares, and people who know how to use them correctly, are getting scarce.
      So, modern SCADA is g

    • Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.

      That parallel network needs redundancy, and encrypted traffic. At least 4 different paths to every control centre.
      The bank in which I worked, had two competitors providing network access. Both access points were in use, messages were routed to the path that was least busy.
      For power distribution, there should be at least 4 paths, with 4 gateways and an ability to configure any or all 4 on or off.

    • by MercTech ( 46455 )

      They aren't.
      The internal network for operational controls mirrors data to administrative servers so managers can check current plant status. The admin network connects to the internet via a firewalled gateway. (at most of the plants I've contracted with during the last decade)

  • My initial reaction would be that anyone who allows an internet connection anywhere inside a nuclear power plant, storage facility, or weapons system is in serious need of psychiatric help. Is that going to make office work, etc a bit harder? I should think it will. So what?

     

    • My initial reaction would be that anyone who allows an internet connection anywhere inside a nuclear power plant, storage facility, or weapons system is in serious need of psychiatric help. Is that going to make office work, etc a bit harder? I should think it will. So what?

      And, although nuclear power plants are not the facilities they are talking about, and although nuclear plants absolutely don't connect their controls to the internet, you have reacted exactly as the authors wanted you to.

      • by MrKaos ( 858439 )

        you have reacted exactly as the authors wanted you to.

        The authors of this report are a panel of experts including current and formers directors from the IAEA and various Nuclear Regulatory Commissions around the world, Professors, research fellows, 14 authors in all.

        To highlight how completely ridiculous your bias is one of "the authors" of the report is the Director, Nuclear Policy and Support at Duke Energy Corporation [linkedin.com] and what you're saying is that he is acting against the interests of a company to which he has legal obligations to protect the interests o

  • by thegarbz ( 1787294 ) on Friday January 15, 2016 @11:14AM (#51307635)

    The entire summary and article says we should be quaking in our boots because the government didn't mandate something specific in some countries. Also why is North Korea on the list?

    Normally mdsolar posts some clickbaity fear article about how renewable is the only way to go, but quite frankly this is a big yawn.

    • Everything he posts is either anti-nuke FUD or solar power fantasy.
      • You may have missed the point.

        You're expecting mdsolar's posts to be anti-nuclear and, intentionally or not, he has done quite a good job of exposing the bias of the nuclear shills on /. by posting a report that is designed to support nuclear power. The authors are from IAEA, NRC, and big utility companies like Duke who operate 6-8 nuclear reactors.

        The Nuclear shills are criticizing the report of an organisation whose founders state exists to strengthen global security by reducing the spread of nuclear,

    • by imikem ( 767509 )

      Yep. Pretty sure he jacks off to high res JPEGs of photoelectric cells.

  • Construct an experiment to prove your theory.
  • by Anonymous Coward

    What? We should have government who cannot protect themselves protect nuke plants. Maybe that's the problem? Why is it people think the government has all the answers? The weakness in America is its dependency on government fixing everything.

  • Literally have a guy on site with a telephone... or with email and other stuff... fine... and if you want him to change the way the reactor is working... fucking pick up the phone and call him. Done.

    Why are things that were easily managed decades ago suddenly becoming complicated? Airgap nuclear facilities.

    If you absolutely MUST connect them over the internet then at the very least use a VPN to effectively digitally airgap it. Not as good... but no one without access to the VPN should be able to access the

  • This is a country where the ruler executed the defense minister (reportedly one reason was because he fell asleep at a military rally) by shooting him with anti-aircraft cannon in front of hundreds of people. I'm pretty sure they don't need a law and that it's generally understood in the country that you don't mess with the nukes, much less try to actually steal them.
    • Right, they may just sell their stuff like Pakistan. Why steal what you can buy? Oh, wait....
  • The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.

    Israel is behind the mother of all firewalls. Israel has units in the army in charge of cybersecurity. This article seems badly researched...

  • You mean complete air gap security isolation from the internet IS NOT the policy for every nuclear site? How stupid are people?
  • One attack might be to renumbered inventory in software so a theft won't be noticed immediately.

news: gotcha

Working...