Slashdot Mirror
German Nuclear Plant Infected With Computer Virus (reuters.com)
archatheist shares a Reuters report: A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility's operations because it is isolated from the Internet, the station's operator said on Tuesday. The Gundremmingen plant, located about 120 km (75 miles) northwest of Munich, is run by the German utility RWE. The viruses, which include "W32.Ramnit" and "Conficker", were discovered at Gundremmingen's B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said.
Specifically, it was the control board in a crane. That controller not connected to anything else, it is a standalone locally controlled item.
Yes, the fuel transfer equipment is basically cranes and such to move the fuel in and out of the plant and into spent fuel pools. It has nothing to do with the control board which controls the reactor.
Windows doesn't run nuclear power plants. Windows displays a HMI that allows operators to interact with a specific control system with specifically custom coded control routines which run nuclear power plants. Nothing against that in the license.
Now that that misconception is out of the way, please tell me what I should run instead of Windows, then tell me which manufacturer of industrial control systems offers such a product. Every major manufacturer of industrial control systems switched to Windows many years ago for their HMIs, more recently even back end servers have switched to Windows too.
I work in the automation industry. PC-based control is very common now, and is increasing in popularity, and yes you have to firewall those systems off from the network, or air-gap them, depending on the threat model. However, even an air-gapped control system needs to have maintenance people move files on and off of it. In the typical PLC-based system there's typically a laptop with the programming software on it which you have to hook up to the PLC to program, debug, troubleshoot, etc. The fact is, a PC-based control system sometimes has advantages because the PC has the programming software on it and doesn't leave the controlled area. Still, people want to copy files, so you have to defend air-gapped systems anyway. It's a tough problem, and one that the major control system manufacturers aren't providing any assistance to help us solve either. Remember, most controls people have electrical/mechanical engineering degrees. In a large plant it should be IT's job to come up with security procedures as the automation people just aren't qualified.
"I have never let my schooling interfere with my education." - Mark Twain
The systems were setup in 2008. They probably do run Windows XP.
And don't forget that most industrial control systems are not modified after installation. Vendors are notoriously reluctant to support any changes at all, including basic OS updates.
My employer has equipment connected to unpatched XP SP1 systems because the vendor won't support anything else, and the organization is not willing to spend $200K+ to replace machines that are doing their jobs.
They are standalone systems because of issues exactly like this one. If someone took an infected file over, it would be a long time before we noticed. There is no value in traditional antivirus without signature updates---which might be a consideration if the vendor supported it with antivirus in the first place.
This is what a lack of competition looks like. They don't have to support basic security measures because there are only one or two other companies in the world that make comparable equipment, and they offer the same level of support. So our security is screwed until the government decides to regulate it.
And nevermind all the man-hours we waste doing data transfers to/from these systems. That's just a cost of doing business.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.