Report finds many nuclear power plant systems “insecure by design”

A study of the information security measures at civilian nuclear energy facilities around the world found a wide range of problems at many facilities that could leave them vulnerable to attacks on industrial control systems—potentially causing interruptions in electrical power or even damage to the reactors themselves.

The study, undertaken by Caroline Baylon, David Livingstone, and Roger Brunt of the UK international affairs think tank Chatham House, found that many nuclear power plants’ systems were “insecure by design” and vulnerable to attacks that could have wide-ranging impacts in the physical world—including the disruption of the electrical power grid and the release of “significant quantities of ionizing radiation.” It would not require an attack with the sophistication of Stuxnet to do significant damage, the researchers suggested, based on the poor security present at many plants and the track record of incidents already caused by software.

The researchers found that many nuclear power plant systems were not “air gapped” from the Internet and that they had virtual private network access that operators were “sometimes unaware of.” And in facilities that did have physical partitioning from the Internet, those measures could be circumvented with a flash drive or other portable media introduced into their onsite network—something that would be entirely too simple given the security posture of many civilian nuclear operators. The use of personal devices on plant networks and other gaps in security could easily introduce malware into nuclear plants’ networks, the researchers warned.
The security strategies of many operators examined in the report were “reactive rather than proactive,” the Chatham House researchers noted, meaning that there was little in the way of monitoring of systems for anomalies that might warn of a cyber-attack on a facility. An attack could be well underway before it was detected. And because of poor training around information security, the people responsible for operating the plants would likely not know what to do.

That problem is heightened by what the researchers characterized as a “communication breakdown” between IT security professionals and the plant operations staff, and a simple lack of awareness among plant operations people about the potential dangers of cyber-attacks. Cultural differences between IT and nuclear engineering culture cause friction at some facilities, in fact—making it difficult for IT and security staff to get across the problem with the poor security practices in the plants.

Unfortunately, there’s no way to tell how bad the problem really is, because the nuclear industry doesn’t talk about breaches.

“The infrequency of cyber security incident disclosure at nuclear facilities makes it difficult to assess the true extent of the problem and may lead nuclear industry personnel to believe that there are few incidents,” the researchers wrote in their summary. ”Moreover, limited collaboration with other industries or information-sharing means that the nuclear industry tends not to learn from other industries that are more advanced in this field.”

These issues, combined with a lack of regulation, may lead to an underestimation of risk by nuclear operators and result in a lack of budgeting or planning for reducing the risk of attack. More

 

©

The Future of Warfare Is Warfare in Cyberspace

National Security Agency Tasked with Targeting Adversaries' Computers for Attack Since Early 1997, According to Declassified Document

"The Future of Warfare Is Warfare in Cyberspace," NSA Declared

"Cyberspace and U.S. National Security" - New Archive Posting Explores Wide Range of U.S. Cyber Concerns, Experiences and Counter-Activities

National Security Archive Electronic Briefing Book No. 424

Posted - April 26, 2013

Edited by Jeffrey T. Richelson

For more information contact:
Jeffrey T. Richelson 202/994-7000 or nsarchiv@gwu.edu

http://www.nsarchive.org

Washington, D.C., April 26, 2013 - Since at least 1997, the National Security Agency (NSA) has been responsible for developing ways to attack hostile computer networks as part of the growing field of Information Warfare (IW), according to a recently declassified internal NSA publication posted today by the non-governmental National Security Archive ("the Archive") at The George Washington University. Declaring that "the future of warfare is warfare in cyberspace," a former NSA official describes the new activity as "sure to be a catalyst for major change" at the super-secret agency.

The document is one of 98 items the Archive is posting today that provide wide-ranging background on the nature and scope of U.S. cyber activities.

Activities in cyberspace - both defensive and offensive - have become a subject of increasing media and government attention over the last decade, although usually the focus has been on foreign attacks against the United States, most notably the Chinese government's reported exploitation of U.S. government, commercial and media computer networks. At the same time, the apparent U.S.-Israeli created Stuxnet worm, designed to damage Iranian centrifuges, has put the spotlight on the United States' own clandestine cyber efforts.

The NSA's new assignment as of 1997, known as Computer Network Attack (CNA), comprises "operations to disrupt, deny, degrade or destroy" information in target computers or networks, "or the computers and networks themselves," according to the NSA document.

Today's posting by the Archive highlights various aspects of U.S. cyberspace activities and concerns going back to the late 1970s. The documents - obtained from government and private websites as well as Freedom of Information Act requests - originate from a wide variety of organizations. These include the White House and National Security Council, the National Security Agency, the Departments of Defense, Energy, and Homeland Security, the military services, the General Accounting/ Government Accountability Office, and the Congressional Research Service - as well as three private organizations (Project 2049, Mandiant Corporation, and Symantec).

Among the highlights of the documents are:

* The NSA's earlier concerns about the vulnerability of sensitive computer systems to either viruses or compromise through foreign intelligence service recruitment of computer personnel

* The Secretary of Defense's March 1997 authorization of the National Security Agency to conduct computer network attack operations

* Detailed discussions of Chinese computer network exploitation activities

* Analyses of the Stuxnet worm

* Extensive treatments of intelligence collection concerning U.S. technologies through computer network exploitation

Check out today's posting at the National Security Archive website - http://www.nsarchive.org

Find us on Facebook - http://www.facebook.com/NSArchive

Unredacted, the Archive blog - http://nsarchive.wordpress.com/

http://twitter.com/NSArchive

________________________________________________________
THE NATIONAL SECURITY ARCHIVE is an independent non-governmental research institute and library located at The George Washington University in Washington, D.C. The Archive collects and publishes declassified documents acquired through the Freedom of Information Act (FOIA). A tax-exempt public charity, the Archive receives no U.S. government funding; its budget is supported by publication royalties and donations from foundations and individuals.