Slashdot Mirror
Governments Don't Do Enough to Protect Nuclear Facilities From Cyberattacks (nytimes.com)
mdsolar writes: Twenty nations with significant atomic stockpiles or nuclear power plants have no government regulations requiring minimal protection of those facilities against cyberattacks, according to a study by the Nuclear Threat Initiative. The findings build on growing concerns that a cyberattack could be the easiest and most effective way to take over a nuclear power plant and sabotage it, or to disable defenses that are used to protect nuclear material from theft. The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.
Surely anybody responsible for security at a nuclear facility hasn't considered every possible way someone could cause a breach?
Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.
Elok
Exactly my thought!
Where are the mod points when you need them?!
I can't call that English
My initial reaction would be that anyone who allows an internet connection anywhere inside a nuclear power plant, storage facility, or weapons system is in serious need of psychiatric help. Is that going to make office work, etc a bit harder? I should think it will. So what?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
You know, foolproof.
The entire summary and article says we should be quaking in our boots because the government didn't mandate something specific in some countries. Also why is North Korea on the list?
Normally mdsolar posts some clickbaity fear article about how renewable is the only way to go, but quite frankly this is a big yawn.
They probably already are. The entire article is about the fact that the government doesn't have regulations about it.
Construct an experiment to prove your theory.
I'm an American. I love this country and the freedoms that we used to have.
We have three systems- Computer Monitoring, (SCADA), PLC Control, and Dual Hard-Wired Control. All independent.
None of them were or are connected to the Internet. When the Hard Wiring went in, there _was_ no Internet.
"Government Regulations" are irrelevant here, anymore than Government Regulations are needed to prevent one from sticking one's dick into a light socket.
If a "Facility" is connected to the Internet, it is a deliberate act. And yes, since 1987, we have had a Honey Pot.
Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.
It isn't connected to the internet . These authors do a good job of confusing the reader. They do not distinguish between systems that control actual nuclear related equipment, communications and administrative networks, facility controls (hvac), etc. They also dont distingush between facilities that do nuclear research in a lab with little risk to start with vs those that process high grade materials vs those that just store materials. And they try to make some jump to conclusions that power plants are included, all of which works toward their agenda.
In the US, those are privately owned business assets. There is no fucking reason for the government to provide any welfare to those businesses in the form of free security services.
Everything he posts is either anti-nuke FUD or solar power fantasy.
Many moons ago, I had a friend who was a nuclear engineer at a power plant. His plant didn't have a separate computer network for the reactor simply because computers weren't allow to connect to the reactor. Anything piece of hardware with enough complexity to achieve Turing completeness was forbidden. When he wanted to add a monitoring circuit somewhere that included more than some piddly number of transistors, he had to document ever possible state that the system could enter.
What? We should have government who cannot protect themselves protect nuke plants. Maybe that's the problem? Why is it people think the government has all the answers? The weakness in America is its dependency on government fixing everything.
You thought just like the author wanted you to think, regardless of the facts.
Literally have a guy on site with a telephone... or with email and other stuff... fine... and if you want him to change the way the reactor is working... fucking pick up the phone and call him. Done.
Why are things that were easily managed decades ago suddenly becoming complicated? Airgap nuclear facilities.
If you absolutely MUST connect them over the internet then at the very least use a VPN to effectively digitally airgap it. Not as good... but no one without access to the VPN should be able to access the reactor's systems.
Yes yes, there are ways to break a VPN... but then there are ways to secure a VPN against those ways.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
>> two separate networks...
Yes, there are.
>> the government doesn't have regulations about it.
Yes, it is does. ...
And Yes, it is being carried over to every other generation and transmission entity (in the U.S., at least).
I love sensationalist reporting.
>> why does the network that control of a nuclear facility need to be connected to the internet?
So the operators can watch NetFlix from the control room. D-uh!
. . . is lost on these people. Ghod forbid, you have to hit the KVM button. . .
Not so much ... It's not the gov job to do so : it should be normal practice...
I can't call that English
This is a country where the ruler executed the defense minister (reportedly one reason was because he fell asleep at a military rally) by shooting him with anti-aircraft cannon in front of hundreds of people. I'm pretty sure they don't need a law and that it's generally understood in the country that you don't mess with the nukes, much less try to actually steal them.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
>> two separate networks...
Yes, there are.
>> the government doesn't have regulations about it.
Yes, it is does. ...
And Yes, it is being carried over to every other generation and transmission entity (in the U.S., at least).
I love sensationalist reporting.
There certainly is published regulation regarding US nuclear power plant cyber security. There is less available regarding weapons facilities. The author chose his words carefully to make sure the average reader does not distinguish between the two, nor facilities that do nuclear related R&D but have no significant amount of nuclear material that would pose any kind of threat.
Stuxnet broke through airgaps via infected USB keys.
When you are against the NSA or similar entities, disconnecting from the internet is not enough to protect you from cyberattacks.
Many moons ago, I had a friend who was a nuclear engineer at a power plant. His plant didn't have a separate computer network for the reactor simply because computers weren't allow to connect to the reactor. Anything piece of hardware with enough complexity to achieve Turing completeness was forbidden. When he wanted to add a monitoring circuit somewhere that included more than some piddly number of transistors, he had to document ever possible state that the system could enter.
That has been common practice for years. You can use one way 'data diodes' to pass information from control systems to monintoring networks, but even those monitoring networks are segregated from the corporate business network, which in turn has the only internet connections.
It is normal practice.
Only needs doughnuts, no interweb for him.
I trust you aren't surprised by this? The problem is that there isn't enough 'knowledgeable public support' to combat these loonies...it can't just be done by industry because its so easy to make the industry the 'boogyman' such that no matter what they say or do it's never enough & never believed...
Didn't Matthew Broderick adequately demonstrate this risk in the 80's?
There are other ways to do things as well. What ever happened to having two computers, one on each network, and them connected via a serial cable with one of the wires snipped (Rx or Tx depending on point of view), so the receiving computer can only pull data from the serial device, stuff it in a log? This is a basic data diode, but I trust two 486 machines doing this far more than I trust some high-zoot vendor's offering, although EAL7+ is a pretty tough rating to get.
Say one needs to log data and export it to people outside a site. Assuming the data isn't of that much volume, a humble serial or parallel connection can work. If the data is more than that, then (although it isn't anywhere near as secure), two boxes sharing a clustered volume via FC and zoned together. This way, data can move out when needed, but one can't island hop to the inner network.
Of course, this isn't 100% secure, as Stuxnet showed us this... but it reduces the problem to "just" physical access control, and physical access control is quite a well-solved problem.
did everyone already forget stuxnet? its not that there is a network connection into these facilities, its that people routinly carry their own connection to the internet with them, or that computers used to service equipment were at one point connected to the internet.
the problem is that in the race to be a market leader with new features and new capabilities, companies often overlook security or fall into a false sense of security through another vendors software.
That's how nuclear facilities were connected in the TV show "24."
The countries on the list include Argentina, China, Egypt, Israel, Mexico and North Korea.
Israel is behind the mother of all firewalls. Israel has units in the army in charge of cybersecurity. This article seems badly researched...
Fortunately the reactors here in Belgium are so many decades old that there's no way they can be connected to the internet. Safe as can be!
This comment is unrelated to the article. The only time the authors even mention the internet is here:
"The most famous cyberattack on a nuclear facility was done by the United States and Israel: the effort to destroy and disable nuclear centrifuges at the Natanz nuclear enrichment plant in Iran. That program, code-named Olympic Games, used a worm that was later named Stuxnet to knock the centrifuges out of operation. It did not release radioactive material into the atmosphere, but it was a vivid demonstration of the vulnerability of nuclear facilities to cyberattack. Iran had completely isolated the Natanz facility from the Internet, but the originators of the program found ways to insert it."
Specifically saying that the facility was cyberattacked despite not being connected to the internet.
Computers The Internet
To be fair the USA and most western nations aren't mentioned in this case.
You mean complete air gap security isolation from the internet IS NOT the policy for every nuclear site? How stupid are people?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Many of the US sites are old, really old. So a 1980's computer like network is used for logging to keep track of wider electrical grid and site conditions in real time.
If the local US grid fails in part or needs more power the nuclear plant can respond.
Other networks are used to recall the shift of workers to support the existing day/night shift if an event takes place. In the past it was with phones, pagers. Computer networking is hoped to help offer another way to help recall distant team members in todays modern telco world. Now more advance logging and national networks can share vital data about events too.
More digital like networking lets a few control staff know more about the more distant parts of a plant on a computer rather than 1970's dials and paper print outs.
So a lot of networks in and out to solve a few issues that help the wider US grid respond, help old reactors function for a few more decades, allow todays staff to do more with much older systems.
As far a security news is needed, its mostly about front companies, multinationals selling or renting more "security" products and services to the wealthy US energy sector that still has decades of security money on the table.
Great for the contractors with expensive new security product lines over 10's of sites. For that cyber 'news' is needed to help push mandatory upgrades via grass roots astroturfing or political leaders.
Domestic spying is now "Benign Information Gathering"
One attack might be to renumbered inventory in software so a theft won't be noticed immediately.
They are not.
Bear in mind that the vast majority of reactors are pretty old; they were built before the Internet existed in its current state.
So the original monitoring and control systems were, and sometimes still are, beautifully steampunk, clonky, electromechanical beasts.
Ridiculously over-engineered and redundant, they have in many cases been worked far beyond their design lives.
Predicable problems being that spares, and people who know how to use them correctly, are getting scarce.
So, modern SCADA is getting installed slowly. These systems are never, repeat never, connected to the outside.
Whilst of course this does not preclude a STUXNET-type attack, it does make any easy internet attack impossible.
What is interesting about this review of nuclear energy rules, is it signals a pretty major resurgence of nuclear energy generations, with safer designs slowly coming to fruition. This in conjunction with renewables (renewables in the burbs and nuclear as backup and in commercial, industrial and high density residential). You simply can not do it all with renewables because they a hugely subject to environmental chaos (weather, earthquakes et al) and you don't want you power down for months whilst you attempt to rebuild without power. Nuclear is a 100% requirement in order to achieve near 100% reliability in supply, a demand for any metropolitan area). Fossil fuels are most definitely on the way out.
Chaos - everything, everywhere, everywhen
But if they don't get attacked, the population will actually be safe, and we won't get to raise our operating budget *AND* strangle their liberties in response to the attacks that we allowed!
There's a WAR going on here, and we don't intend to just let freedom win.
It isn't connected to the internet . These authors do a good job of confusing the reader.
From the article: Our purpose is to show how all countries can improve the security of dangerous nuclear materials - NTI Co-Chairman and former U.S. Senator Sam Nunn.
They do not distinguish between systems that control actual nuclear related equipment, communications and administrative networks, facility controls (hvac), etc. They also dont distingush between facilities that do nuclear research in a lab with little risk to start with vs those that process high grade materials vs those that just store materials.
From the methodology used to produce the Threat Index: The NTI Index differentiates among three sets of countries: (a) countries with one kilogram or more of weapons-usable nuclear materials (countries with materials), (b) countries with less than one kilogram of or no weapons-usable nuclear materials (countries without materials), and (c) countries with nuclear facilities, the sabotage of which could result in a significant radiological release with serious off-site health consequences.
And they try to make some jump to conclusions that power plants are included, all of which works toward their agenda.
From a 2009 White House joint press release by the President of the United States and President of the Russian Federation: The United States of America and the Russian Federation confirm their commitment to strengthening their cooperation to prevent the proliferation of nuclear weapons and stop acts of nuclear terrorism. We bear special responsibility for security of nuclear weapons. While we reconfirm that security at nuclear facilities in the United States and Russia meets current requirements, we stress that nuclear security requirements need continuous upgrading.
If you are so blinded by your shilling for Nuclear Power that you are prepared to call the process of reducing access to Highly Enriched, weapons grade Uranium to terrorists an 'agenda' you must either have a terrorist agenda of your own or you are so profoundly stupid that you cannot see something that both the US *and* Russian Presidents agree are requirements for "a common vision of the growth of clean, safe, secure and affordable nuclear energy for peaceful purposes".
My ism, it's full of beliefs.
nor facilities that do nuclear related R&D but have no significant amount of nuclear material that would pose any kind of threat.
Obviously you have not even looked at this report. The methodology makes a clear distinction
My ism, it's full of beliefs.
He's talking about the authors of this article, you fucking idiot.
Maybe you didn't notice there are two links on the page. It's so much fun when you guys get pissed off, it makes me laugh at you even more because your foolishness deserves ridicule and the *best* you can do is anonymously troll me.
My ism, it's full of beliefs.
You may have missed the point.
You're expecting mdsolar's posts to be anti-nuclear and, intentionally or not, he has done quite a good job of exposing the bias of the nuclear shills on /. by posting a report that is designed to support nuclear power. The authors are from IAEA, NRC, and big utility companies like Duke who operate 6-8 nuclear reactors.
The Nuclear shills are criticizing the report of an organisation whose founders state exists to strengthen global security by reducing the spread of nuclear, biological and chemical weapons, and also to reduce the risk that they will actually be used.. Who wouldn't want that, especially if you support nuclear power?
They're arguing against an initiative designed to improve the acceptance of Nuclear power supported by the US and Russians presidents.
They're criticizing a regulatory framework that the NRC has committed to implementing in conjunction with the DOE, FBI, DOHS that lays the regulatory framework for extending Nuclear power around the world.
This is what it looks like when Industry, in this case the nuclear industry, push government when *they* recognise a risk that they want legal frameworks to deal with. What Industry is saying to government is that they are lagging because of the lack of progress on international regulatory frameworks being in place to force *all* radiological materials handlers to comply.
It shows that our nuclear shill friends aren't examining or understanding what is presented and instead are relying on their internal bias and pre-conceived judgement. mdsolar has posted something pro-nuclear, that critiques government's lack of progress on international law required to secure Nuclear power. The appropriate response for a sincere supporter of Nuclear Power would be to say 'boo, government, bad, holding nuclear industry back get those laws in place' but they are too busy pointing fingers at anti-nuke NIMBYs in combi vans that have very little influence over the process. Their great anti-nuke conspiracy theory.
Intentionally or not, mdsolar has gotten the nuclear shills to criticize a report that supports the development of Nuclear power.
My ism, it's full of beliefs.
Just a little thought, why does the network that control of a nuclear facility need to be connected to the internet? I'm not saying it should be unplugged, but why they couldn't simply make two separate network? One for computer, the other to control the facility.
That parallel network needs redundancy, and encrypted traffic. At least 4 different paths to every control centre.
The bank in which I worked, had two competitors providing network access. Both access points were in use, messages were routed to the path that was least busy.
For power distribution, there should be at least 4 paths, with 4 gateways and an ability to configure any or all 4 on or off.
Leslie Satenstein Montreal Quebec Canada
They aren't.
The internal network for operational controls mirrors data to administrative servers so managers can check current plant status. The admin network connects to the internet via a firewalled gateway. (at most of the plants I've contracted with during the last decade)
NRRPT/RCT