Slashdot Mirror
Nuclear Plants Leak Critical Alerts In Unencrypted Pager Messages (arstechnica.com)
mdsolar quotes a report from Ars Technica: A surprisingly large number of critical infrastructure participants -- including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers -- rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage. Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory and control data acquisition system belonging to one of the world's biggest chemical companies sent a page containing a complete "stack dump" of one of its devices. Other unencrypted alerts sent by or to "several nuclear plants scattered among different states" included:
-Reduced pumping flow rate
-Water leak, steam leak, radiant coolant service leak, electrohydraulic control oil leak
-Fire accidents in an unrestricted area and in an administration building
-Loss of redundancy
-People requiring off-site medical attention
-A control rod losing its position indication due to a data fault
-Nuclear contamination without personal damage Trend Micro researchers wrote in their report titled "Leaking Beeps: Unencrypted Pager Messages in Industrial Environments": "We were surprised to see unencrypted pages coming from industrial sectors like nuclear power plants, substations, power generation plants, chemical plants, defense contractors, semiconductor and commercial manufacturers, and HVAC. These unencrypted pager messages are a valuable source of passive intelligence, the gathering of information that is unintentionally leaked by networked or connected organizations. Taken together, threat actors can do heavy reconnaissance on targets by making sense of the acquired information through paging messages. Though we are not well-versed with the terms and information used in some of the sectors in our research, we were able to determine what the pages mean, including how attackers would make use of them in an elaborate targeted attack or how industry competitors would take advantage of such information. The power generation sector is overseen by regulating bodies like the North American Electric Reliability Corporation (NERC). The NERC can impose significant fines on companies that violate critical infrastructure protection requirements, such as ensuring that communications are encrypted. Other similar regulations also exist for the chemical manufacturing sector."
-Reduced pumping flow rate
-Water leak, steam leak, radiant coolant service leak, electrohydraulic control oil leak
-Fire accidents in an unrestricted area and in an administration building
-Loss of redundancy
-People requiring off-site medical attention
-A control rod losing its position indication due to a data fault
-Nuclear contamination without personal damage Trend Micro researchers wrote in their report titled "Leaking Beeps: Unencrypted Pager Messages in Industrial Environments": "We were surprised to see unencrypted pages coming from industrial sectors like nuclear power plants, substations, power generation plants, chemical plants, defense contractors, semiconductor and commercial manufacturers, and HVAC. These unencrypted pager messages are a valuable source of passive intelligence, the gathering of information that is unintentionally leaked by networked or connected organizations. Taken together, threat actors can do heavy reconnaissance on targets by making sense of the acquired information through paging messages. Though we are not well-versed with the terms and information used in some of the sectors in our research, we were able to determine what the pages mean, including how attackers would make use of them in an elaborate targeted attack or how industry competitors would take advantage of such information. The power generation sector is overseen by regulating bodies like the North American Electric Reliability Corporation (NERC). The NERC can impose significant fines on companies that violate critical infrastructure protection requirements, such as ensuring that communications are encrypted. Other similar regulations also exist for the chemical manufacturing sector."
I can't speak for chemical plants etc, but I do currently work at a nuclear power plant as an engineer.
Pagers are not used for any control function of the plant. Any digital control system is scrutinized for cyber security.
The only use of pagers is as part of a call out system, so that in case of a plant event, people are alerted to come in to resolve the issue. This is rarely used. As part of this system they also call people on the phone. No specific plant information is ever transmitted as part of this call, just the classification of the plant event. I know this because I function as a communicator in the Emergency Response Organization.
I wish people would stop spreading lies about nukes. There are certainly some negative aspects of nuclear power. If you don't think it is worth it, then fine that is your opinion, and feel free to defend it in a rational, intellectually honest way. That people have to make stuff up to justify that opinion is telling about how strong their position is.