Governments Don't Do Enough to Protect Nuclear Facilities From Cyberattacks (nytimes.com) 85
mdsolar writes: Twenty nations with significant atomic stockpiles or nuclear power plants have no government regulations requiring minimal protection of those facilities against cyberattacks, according to a study by the Nuclear Threat Initiative. The findings build on growing concerns that a cyberattack could be the easiest and most effective way to take over a nuclear power plant and sabotage it, or to disable defenses that are used to protect nuclear material from theft. The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.
Yeah, because the government needs to tell them (Score:1)
Surely anybody responsible for security at a nuclear facility hasn't considered every possible way someone could cause a breach?
Re: (Score:2)
No, they haven't, that's why the government needs to advise them. They're doing deeply idiotic things like connecting industrial control equipment with joke security directly to the Internet.
Re: (Score:2)
[citation needed]
It's easy enough for someone on the internet to say they did it, but let's see an actual case of such stupidity. For the most part the reported cases of things on the internet have been minor utilities, not the OMG Nuclear.
Re: (Score:2)
It looks like nobody has connected a PLC *directly* to the Internet in a nuclear plant yet, but they've connected control networks (those containing the industrial control systems and the computers that manage them) to non-control-related office networks resulting a number of incidents, both malicious and unintentional. See PDF page 14:
https://www.chathamhouse.org/s... [chathamhouse.org]
This is also worth a read:
http://large.stanford.edu/cour... [stanford.edu]
Re: (Score:2)
There's a very good take home message on page 14. A lot of these incidents are caused BY regulation. I've first hand experience in the over regulation of the nuclear industry resulting in a project that installed a new safety system which had already been life cycled by the vendor complete with a Windows NT4 machine ... after Windows 7 was released. We actually upgraded and removed an identical vintage system from a refinery which determined that it was a "risk" running something so outdated and so close to
Re: (Score:3)
Because of the secrecy surrounding military nuclear facilities, it was impossible to determine the levels of cyberprotection used to protect nuclear weapons in the nine countries known to possess them.
Re: (Score:2)
Surely anybody responsible for security at a nuclear facility hasn't considered every possible way someone could cause a breach?
You don't seem to grasp the way most people prioritize concerns, which amounts to this: if (a) nothing has happened so far and (b) nobody around you seems to be concerned, then the risk in question isn't a priority. And if you think that things would have to be different in the management of nuclear plants, well look at how TEPCO, a company running coastal nuclear plants in the most seismically active region in the world, responded to a drastic upward revision by scientists of the probability of a 10+m tsu
Re: (Score:2)
Why does a nuclear facility need to be connected? (Score:5, Insightful)
Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.
Re: (Score:2, Interesting)
Exactly my thought!
Where are the mod points when you need them?!
Re: (Score:2)
Re: (Score:2)
Not so much ... It's not the gov job to do so : it should be normal practice...
Re: (Score:2)
Re: (Score:2)
They probably already are. The entire article is about the fact that the government doesn't have regulations about it.
Re: (Score:2)
>> two separate networks...
Yes, there are.
>> the government doesn't have regulations about it.
Yes, it is does. ...
And Yes, it is being carried over to every other generation and transmission entity (in the U.S., at least).
I love sensationalist reporting.
There certainly is published regulation regarding US nuclear power plant cyber security. There is less available regarding weapons facilities. The author chose his words carefully to make sure the average reader does not distinguish between the two, nor facilities that do nuclear related R&D but have no significant amount of nuclear material that would pose any kind of threat.
Re: (Score:2)
nor facilities that do nuclear related R&D but have no significant amount of nuclear material that would pose any kind of threat.
Obviously you have not even looked at this report. The methodology makes a clear distinction [ntiindex.org]
Re: (Score:2)
Re: (Score:2)
To be fair the USA and most western nations aren't mentioned in this case.
Re: (Score:2)
What is interesting about this review of nuclear energy rules, is it signals a pretty major resurgence of nuclear energy generations, with safer designs slowly coming to fruition. This in conjunction with renewables (renewables in the burbs and nuclear as backup and in commercial, industrial and high density residential). You simply can not do it all with renewables because they a hugely subject to environmental chaos (weather, earthquakes et al) and you don't want you power down for months whilst you atte
Re: (Score:1)
We have three systems- Computer Monitoring, (SCADA), PLC Control, and Dual Hard-Wired Control. All independent.
None of them were or are connected to the Internet. When the Hard Wiring went in, there _was_ no Internet.
"Government Regulations" are irrelevant here, anymore than Government Regulations are needed to prevent one from sticking one's dick into a light socket.
If a "Facility" is connected to the Internet, it is a deliberate act. And yes, since 1987, we have had a Honey Pot.
Re: (Score:3)
Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.
It isn't connected to the internet . These authors do a good job of confusing the reader. They do not distinguish between systems that control actual nuclear related equipment, communications and administrative networks, facility controls (hvac), etc. They also dont distingush between facilities that do nuclear research in a lab with little risk to start with vs those that process high grade materials vs those that just store materials. And they try to make some jump to conclusions that power plants are in
Re: (Score:2)
It isn't connected to the internet . These authors do a good job of confusing the reader.
From the article: Our purpose is to show how all countries can improve the security of dangerous nuclear materials - NTI Co-Chairman and former U.S. Senator Sam Nunn.
They do not distinguish between systems that control actual nuclear related equipment, communications and administrative networks, facility controls (hvac), etc. They also dont distingush between facilities that do nuclear research in a lab with little risk to start with vs those that process high grade materials vs those that just store materials.
From the methodology used to produce the Threat Index: The NTI Index differentiates among three sets of countries: (a) countries with one kilogram or more of weapons-usable nuclear materials (countries with materials), (b) countries with less than one kilogram of or no weapons-usable nuclear materials (countries without materials), and (c) co
Re:Why does a nuclear facility need to be connecte (Score:4, Interesting)
Re: (Score:2)
Many moons ago, I had a friend who was a nuclear engineer at a power plant. His plant didn't have a separate computer network for the reactor simply because computers weren't allow to connect to the reactor. Anything piece of hardware with enough complexity to achieve Turing completeness was forbidden. When he wanted to add a monitoring circuit somewhere that included more than some piddly number of transistors, he had to document ever possible state that the system could enter.
That has been common practice for years. You can use one way 'data diodes' to pass information from control systems to monintoring networks, but even those monitoring networks are segregated from the corporate business network, which in turn has the only internet connections.
Re: (Score:2)
>> why does the network that control of a nuclear facility need to be connected to the internet?
So the operators can watch NetFlix from the control room. D-uh!
Re: (Score:3)
Stuxnet broke through airgaps via infected USB keys.
When you are against the NSA or similar entities, disconnecting from the internet is not enough to protect you from cyberattacks.
Homer Simpson (Score:1)
Re: (Score:1)
There are other ways to do things as well. What ever happened to having two computers, one on each network, and them connected via a serial cable with one of the wires snipped (Rx or Tx depending on point of view), so the receiving computer can only pull data from the serial device, stuff it in a log? This is a basic data diode, but I trust two 486 machines doing this far more than I trust some high-zoot vendor's offering, although EAL7+ is a pretty tough rating to get.
Say one needs to log data and export
Re: (Score:1)
Re: (Score:1)
Fortunately the reactors here in Belgium are so many decades old that there's no way they can be connected to the internet. Safe as can be!
Re: (Score:2)
If the local US grid fails in part or needs more power the nuclear plant can respond.
Other networks are used to recall the shift of workers to support the existing day/night shift if an event takes place. In the past it was with phones, pagers. Computer networking is hoped to help offer another way to help recall distant team members in t
Re: (Score:2)
They are not.
Bear in mind that the vast majority of reactors are pretty old; they were built before the Internet existed in its current state.
So the original monitoring and control systems were, and sometimes still are, beautifully steampunk, clonky, electromechanical beasts.
Ridiculously over-engineered and redundant, they have in many cases been worked far beyond their design lives.
Predicable problems being that spares, and people who know how to use them correctly, are getting scarce.
So, modern SCADA is g
Re: (Score:2)
Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.
That parallel network needs redundancy, and encrypted traffic. At least 4 different paths to every control centre.
The bank in which I worked, had two competitors providing network access. Both access points were in use, messages were routed to the path that was least busy.
For power distribution, there should be at least 4 paths, with 4 gateways and an ability to configure any or all 4 on or off.
Re: (Score:1)
They aren't.
The internal network for operational controls mirrors data to administrative servers so managers can check current plant status. The admin network connects to the internet via a firewalled gateway. (at most of the plants I've contracted with during the last decade)
WTF (Score:2)
My initial reaction would be that anyone who allows an internet connection anywhere inside a nuclear power plant, storage facility, or weapons system is in serious need of psychiatric help. Is that going to make office work, etc a bit harder? I should think it will. So what?
Re: (Score:3)
My initial reaction would be that anyone who allows an internet connection anywhere inside a nuclear power plant, storage facility, or weapons system is in serious need of psychiatric help. Is that going to make office work, etc a bit harder? I should think it will. So what?
And, although nuclear power plants are not the facilities they are talking about, and although nuclear plants absolutely don't connect their controls to the internet, you have reacted exactly as the authors wanted you to.
Re: (Score:2)
you have reacted exactly as the authors wanted you to.
The authors of this report are a panel of experts including current and formers directors from the IAEA and various Nuclear Regulatory Commissions around the world, Professors, research fellows, 14 authors in all.
To highlight how completely ridiculous your bias is one of "the authors" of the report is the Director, Nuclear Policy and Support at Duke Energy Corporation [linkedin.com] and what you're saying is that he is acting against the interests of a company to which he has legal obligations to protect the interests o
Fear because of lack of government? (Score:3)
The entire summary and article says we should be quaking in our boots because the government didn't mandate something specific in some countries. Also why is North Korea on the list?
Normally mdsolar posts some clickbaity fear article about how renewable is the only way to go, but quite frankly this is a big yawn.
Yea, mdsolar (Score:3)
Re: (Score:1)
Radioactive things (including the Sun) have the highest energy density. That's part and parcel with being radioactive.
So yes, engineers normally look to powerful sources of energy when trying to solve energy problems. You can't very well extract it from elsewhere.
Re:Yeah, mdsolar (Score:2)
You may have missed the point.
You're expecting mdsolar's posts to be anti-nuclear and, intentionally or not, he has done quite a good job of exposing the bias of the nuclear shills on /. by posting a report that is designed to support nuclear power. The authors are from IAEA, NRC, and big utility companies like Duke who operate 6-8 nuclear reactors.
The Nuclear shills are criticizing the report of an organisation whose founders state exists to strengthen global security by reducing the spread of nuclear,
Re: (Score:2)
Yep. Pretty sure he jacks off to high res JPEGs of photoelectric cells.
jusr a lame theory (Score:2)
The government cannot protect themselves (Score:1)
What? We should have government who cannot protect themselves protect nuke plants. Maybe that's the problem? Why is it people think the government has all the answers? The weakness in America is its dependency on government fixing everything.
Air gap it (Score:2)
Literally have a guy on site with a telephone... or with email and other stuff... fine... and if you want him to change the way the reactor is working... fucking pick up the phone and call him. Done.
Why are things that were easily managed decades ago suddenly becoming complicated? Airgap nuclear facilities.
If you absolutely MUST connect them over the internet then at the very least use a VPN to effectively digitally airgap it. Not as good... but no one without access to the VPN should be able to access the
Re: (Score:2)
Worked great until they took an infected thumb drive and plugged it into an airgapped network without checking it.
If you can't figure out how to prevent things like that then you're not competent to run security on a real network.
Everyone on this site will say "but what about this what about this what about this"... and they don't understand that there is a counter measure for every thing and if you do it all... then getting at you basically won't happen.
Look at the networks that are breached and you tend t
Re: (Score:2)
By this fuckwitted logic NO solution to any problem should EVER be used because in some cases ANY counter measure WILL be breached by SOMETHING.
So for example, we should make no effort to keep our water clean because occasionally some bacteria will get into it. We should make no effort to armor ourselves in war because after all occasionally armor fails. We should make no effort to provide power backups because after all sometimes power backups fail.
Etc.
You fail at logic.
While an air gapped system is not en
Re: (Score:2)
harsh language =/= emotional reaction.
What is more the supposition here is that you are scoring points by showing yourself to be in emotional control while I am out of control. Not only is the premise of your argument inherently fallacious but the fundamental assumption upon which it is based is also in error. :)
As to the rest... I'm not going back and forth with AC twits. Waste of my time.
Re: (Score:2)
Can =/= Will.
You are unworthy of my respect as evidenced by your pathetic arguments and I feel not only justified but actually obligated to treat you with as much disrespect as is possible over a text box.
What you don't seem to grasp is that your position is so asinine that it has revealed that you are unworthy of this discussion and are polluting the community with what can only be described as rampant stupidity.
I have no power to ban you or remove you from this place but I can at the very least show you w
Re: (Score:2)
Because I know for a fact that some of these systems are being probed remotely which is impossible unless the sites are not air gapped.
You're in error and I am not especially interested in continuing this line of discussion with you.
Good day, sir.
North Korea? (Score:2)
Re: (Score:2)
do you really expect that it would cause anyone outside the country to have second thoughts?
What are people outside the DPRK going to do? If the nuke sites are connected to anything it would be their own intranet. The nuclear program is one of DPRK's crown jewels so you know everyone involved is well guarded, closely watched, and (by DPRK standards at least) well paid/compensated. None of them are likely to try and sabotage/steal nuclear material, and any outside actor would have a very difficult time just getting into and accessing the material, much less actually get it out of the country.
Re: (Score:2)
Re: (Score:2)
Israel?? (Score:1)
The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.
Israel is behind the mother of all firewalls. Israel has units in the army in charge of cybersecurity. This article seems badly researched...
Wait... (Score:2)
Accounting Software (Score:2)