Monday, 15 May 2017

Cyber threats: you ain’t seen nothin’ yet




 Annual mmit
The cyber security attack on Friday has highlighted the vulnerability of UK national infrastructure to malicious cyber threats.

So far it is the impact on the NHS that has hit the headlines. But it could be far worse: what if it were our nuclear power plants that were disrupted?

Next week- from 22 to 24 May -  the Vienna –based World Institute for Nuclear Security (WINS) , headed by  the former head of security at Sellafield, Dr Roger Howsley, is  participating in  the  2nd Annual Industrial Control Cyber Security Nuclear Summit,  in Warrington,  organised by Cyber Senate entitled with an important presentation  entitled“Transformation, Preparedness and Developing Cyber Security Assurance”. ((https://www.wins.org/index.php?article_id=263&id=258&bid=8))

It is instructive to  listen to the words of Russian cyber security expert, Eugene Kasperksy, founder and ceo  of the Moscow-based Kasperksy Labs,  warns governments engaged in cyber warfare that "everything you do - it's a boomerang: it will get back to you."
(http://www.independent.co.uk/life-style/gadgets-and-tech/news/russian-nuclear-power-plant-infected-by-stuxnet-malware-says-cybersecurity-expert-8935529.html))

Four years ago he warned that Russian nuclear power plant infected by Stuxnet malware programme - widely believed to have been created by the US and Israel - had infected a Russian nuclear power plant, Speaking at the Canberra Press Club 2013 in Australia’s capital city ((http://youtu.be/6tlUvb26DzI)) Kasperksy recounted a story from “the Stuxnet time” when a friend of his working in an unnamed nuclear power plant reported that the plant’s computers were “badly infected by Stuxnet”.
Kaspersky criticized government departments responsible for engineering cyber-attacks, The Stuxnet virus was first discovered in June 2010 and was found to specifically target industrial control systems manufactured by Siemens.
The initial target of the virus is widely thought to have been the centrifuges used in Iran’s uranium enrichment programme. Although the goal of the virus was extremely specific, its method of proliferation was indiscriminate and the code has since been found on computers across the world.

According to a report from the New York Times in 2012, the US administration  under Obama chose to continue cyber-attacks against Iran even after the existence of Stuxnet became public. Discussing the use of cyber-warfare by nation states, Kaspersky said:  “They don’t understand that it’s possible to shut down power plants, power grids, the space station. They don’t know what to do.”
Kaspersky also claimed that even the International Space Station (ISS) is not immune to viruses, although he did not indicate that it was Stuxnet that had made its way on board.
“The space guys from time-to-time are coming with USBs, which are infected,” said Kaspersky. “I'm not kidding. I was talking to Russian space guys and they said, 'yeah, from time-to-time there are viruses on the space station.’”
Although this may sound alarming it’s not unprecedented. In 2008 Nasa admitted that a virus designed to steal passwords had found its way on to the Windows laptops being used on the ISS.
"This is not the first time we have had a worm or a virus," said NASA spokesman Kelly Humphries at the time. "It’s not a frequent occurrence, but this isn’t the first time." The virus in question only affected computers used by astronauts for non-essential business such as email and science experiments, and is widely thought to have been brought on board – as Kaspersky suggests – with an infected USB stick.((http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=2&_r=2&seid=auto&smid=tw-nytimespolitics&pagewanted=all&)>

Here is what the US nuclear industry lobby group, the Nuclear Energy Institute says about nuclear cyber-security
Plant <
“Computer systems that help operate nuclear reactors and their safety equipment are isolated from the Internet to protect against outside intrusion. However, the nuclear industry takes measures to ensure that its nuclear plants are protected from cyber attacks.
Although the September 11 terrorist attacks had no cyber component, the nuclear energy industry took the initiative following those events to implement a cyber security program. The industry formed a task force, which developed comprehensive guidelines for protecting against cyber vulnerabilities. The NRC endorsed the industry guidelines in 2005. By May 2008, all operating nuclear plants had implemented the guidelines voluntarily.
(http://www.nei.org/Issues-Policy/Safety-Security/Plant-Security)

The US nuclear safety regulator, the Nuclear Regulatory Commission (NRC) security rule (http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/) issued in 2009 required enhancements to cyber security (http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html)  at nuclear power plants.

“All companies that operate nuclear plants or seek to license new plants have developed and submitted plans for cyber security, including requirements pertaining to individuals who have electronic means to interfere with plant safety, security or emergency preparedness functions or critical equipment that supports those functions”
(Cyber Security in Digital Instrumentation and Controls – an NRC briefing
http://www.nrc.gov/about-nrc/regulatory/research/digital/key-issues/cyber-security.html)


Key Points according to NRC are:

  *   The U.S. Nuclear Regulatory Commission (NRC) has extensive regulations for cyber security protection at nuclear energy facilities. Regulatory oversight by other agencies is unnecessary and would duplicate the already-strict NRC oversight.

  *   The nuclear energy industry implemented a cyber security program in 2002 to protect critical digital assets and the information they contain from sabotage or malicious use. The industry has been strengthening its response in the years since.

  *   The NRC in 2009 established regulations for cyber security at commercial reactors, even though critical computer systems used to control nuclear energy facilities are not connected to the Internet.

  *   The industry has worked with federal regulators—including the NRC, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC)—to ensure that digital assets are fully protected. FERC initially proposed rules to cover portions of a nuclear energy facility, but reversed its stance when it found that the NRC’s cyber security rulemaking covers the entire facility.

NRC stresses that “Nuclear facilities use digital and analog systems to monitor and operate equipment, and to obtain and store vital information. Analog systems do their job by following “hard-wired” instructions, while digital computer-based systems follow instructions (software) stored in memory. In addition, many plant computer systems are now linked to digital networks that extend across the plant, performing safety, security and emergency preparedness functions. Protecting these critical digital assets and the information they contain from sabotage or malicious use is called cyber security. All power reactor facilities licensed by the NRC must have a cyber security program.”


Cyber Security Requirements After 9/11

The NRC  explains:
“Shortly after the terrorist attacks of Sept. 11, 2001, the NRC ordered its nuclear power plant licensees to enhance their overall security. The order included specific requirements for addressing certain cyber security threats and vulnerabilities. The order contains sensitive information and is not available to the public,

In October 2004, the NRC again addressed cyber security concerns by publishing a self-assessment tool for use by nuclear power plants. In 2005, the NRC also endorsed a programme developed by the Nuclear Energy Institute to help nuclear power reactor licensees establish and maintain cyber security programs at their facilities. Additional cyber security guidance was published in January 2006 and March 2007. It included specifics for designing, developing and implementing protective measures for digital instrumentation and controls used in nuclear safety-related applications.

In March 2009, the NRC issued a new cyber security rule. This new section of the NRC Code of Federal Regulations, “Protection of Digital Computer and Communications Systems and Networks” (10 CFR 73.54), affected existing nuclear power reactor licensees and those corporations applying for new reactor licenses. The new regulation requires licensees to submit a new cyber security plan and an implementation timeline for NRC approval. The plan must show how the facility identified (or would identify) critical digital assets and describe its protective strategy, among other requirements.
In January 2010, the NRC published a Regulatory Guide that provides comprehensive guidance to licensees and applicants for licenses on an acceptable way to meet the requirements of 10 CFR 73.54. The guidance includes recommended best practices from such organizations as the International Society of Automation, the Institute of Electrical and Electronics Engineers, and the National Institute of Standards and Technology, as well as guidance from the Department of Homeland Security. This guide is publically available.)

The NRC has taken measures to maintain effective cyber protection measures, including maintaining equipment listed in the plant configuration management program and ensuring changes to the equipment are performed in a controlled manner. A cyber security impact analysis is performed before making changes to relevant equipment. The effectiveness of cyber security controls is periodically assessed, and enhancements are made where necessary. Vulnerability assessments are performed to ensure that the cyber security posture of the equipment is maintained.

Two years ago the United Nations nuclear watchdog body, the International Atomic Energy Agency (IAEA), held an international conference on Computer Security in a Nuclear World, at its Vienna headquarters (http://www-pub.iaea.org/iaeameetings/46530/International-Conference-on-Computer-Security-in-a-Nuclear-World-Expert-Discussion-and-Exchange)

The IAEA) has urged a global response to cyber attacks on nuclear facilities as concerns rise over the irreversible consequences of such incidents “Reports of actual or attempted cyber-attacks are now virtually a daily occurrence,” said IAEA Director General Yukiya Amano on Monday at the first International Conference on Computer Security in a Nuclear.The IAEA chief added that “the nuclear industry has not been immune. Last year alone, there were cases of random malware-based attacks at nuclear power plants, and of such facilities being specifically targeted.”

In an interview with Iranian Press TV, Director of the IAEA Division of Nuclear Security,  Khammar Mrabi,  said the conference aims to establish a “sustainable nuclear security” for all member states.
“We are here to help all out member states in an inclusive manner to establish an effective and sustainable nuclear security, including computer security,” he said.
The director of the Telecommunication Development Bureau of the International Telecommunication Union (ITU) also told Press TV that the main objective of the participants in the event is to precipitate a culture transformation with regard to the mounting threat of cybercrime and cyber-terrorism.
The most important aim of the conferencewas to change the dominant culture from cyber insecurity to "cyber peace," said Brahima Sanou. (“IAEA urges action on cyber threats to nuclear facilities,” IAEA news service, June 2, 2015 )

The recently published  WINS report, “Security  of IT and IC at Nuclear Facilities, warns “If vendors are permitted to have remote access to [nuclear ] plants systems for support and maintenance purposes there needs to be an adequate level of endpoint security. This includes access controls for the remote  equipment used for support and physical control over use of that equipment.”

It adds importantly:

“Such remote connectivity should be temporary, protected via Virtual Private Network (VPN) technologies and established as need, and terminated when no longer required.” The last point cannot be stressed enough, for if a VPN connection is left open, it would allow the air gap between internal and external computer systems to be circumvented.

The Warrington Cyber summit summarises its aims as follows: “All stakeholders have a new responsibility in ensuring the safety, reliability and stability of our Critical National Infrastructure. Public and Private partnerships are paramount and information sharing on an international level is of priority. The conference consists of presentations and debate from some of the Nuclear energy industry’s leading end users from Operational and IT backgrounds, Government influencers, leading cybersecurity authorities and some of the world’s most influential solution providers.  The event will focus on areas of vulnerability, threat detection, mitigation, and planning for the nuclear sector.”(http://industrialcontrolsecuritynuclear.com/)

Britain’s Office for Nuclear Regulation (ONR), responsible for nuclear security and safety, is participating. It is very timely indeed

No comments:

Post a Comment