Search engine can find the VPN that NUCLEAR PLANT boss DIDN'T KNOW was there - report The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking. The report adds that search engines can "readily identify critical …
But Jezzer's* response would be to invite them round for a cup of tea whilst apologising for causing them the trouble of having to blow up the reactor.
I know which one of the two is the bigger deterrent.
* I totally agree with him on most of his policies but his attitudes towards defence scare the hell out of me.
This post has been deleted by its author
Really. Code-signing with all the side-dishes should be at the TAKEN-FOR-GRANTED INFRASTRUCTURE level by now.
Conservatism?
Replace the control computers by BlackBerrys?
I recently came across a Simatec WinCC control system used in a "in case of problems, SHWILLHTF situation" not nuclear but "interesting infrastructure" ... it was bad. Internet Explorer 6 (though going through proxy out to the Internets), unpatched Win 2008R2, admin login, the works...
(Also, this article needs another stock image. We are not talking nuclear tests. Something from that "China Syndrome" movie, maybe?)
"...Code-signing with all the side-dishes should be at the TAKEN-FOR-GRANTED INFRASTRUCTURE level by now..."
"...As most industrial control systems at nuclear facilities were developed in the 1960s and 1970s..."
"by now" is indeed true: "by then" alas is not.
""by now" is indeed true: "by then" alas is not."
It does go some way to highlight the incredibly low priority hardware upgrades get in around nukes - both reactors and missiles. There was that silo in the mid-west where the (3 foot thick) security door had been propped open with a brick for the last ten years and they were still using 8" floppy disks because that's what was current when the computer system was installed... the US government is shockingly cavalier with these things.
"It does go some way to highlight the incredibly low priority hardware upgrades get in around nukes"
it is necessarily a lower priority then "it must perform *exactly* to spec". Any change has to undergo a costly and vigorous testing to ensure that, for example, something that previously took, say 2.5ms still takes 2.5ms, no fater no slower.
I was working at a Nuke site when we were migrating the business systems from Novell/Win3.1/Wordperfect to Windows NT Server/NT Workstation/Word. By far the most difficult bit was the word processor. Although the business/admin computer systems did not need to be at spec, new printouts of the site documentation, work orders and such had to look exectly as they did before.
"Updates to nuclear systems will always be infrequent because they're not the sort of systems where you can just dump the responsibility for finding bugs upon the end-users."
'Infrequent update' vs 'uses systems that are now older than 90% of the people working there' are different things. Amongst other things, several silos have had hardware faults that cannot be repaired properly - hence the security door being propped open with the brick. No-one makes the electronics tat are compatible with the security system anymore. The result? The security is bypassed by users, and so may as well not be there at all.
And this is where we keep the things that can end civilization as we know it. If the lock on my front door stops working, I replace it. If the lock on my nuclear weapons silo stops working, I just stop locking the door...
"Why are industrial control systems designed by babes in the woods?"
It was well-explained by the article - whoever designed such systems never dreamt that they could be remotely accessed so easily over the Internet*. This is one of the exact points where anti-nuclear protesters have inadvertently made nuclear power so much more dangerous. If upgrading a nuclear plant was not so controversial, maybe we would have modern plants with modern safety systems** instead of 50-year-old reactors based on 60-year-old designs.
* Note that is still an epic fail of not being air-gapped. I mean, the article says "the commercial benefits of internet connectivity mean[s] that nuclear facilities" are increasingly networked.", but I really fail to see what commercial benefits there are to noz having your plant operators on-site. You're really risking the operation of a whole plant to save a few thousand bucks???
**One would hope, at least, that are better than the current ones
I recently came across a Simatec WinCC control system used in a "in case of problems, SHWILLHTF situation" not nuclear but "interesting infrastructure" ... it was bad. Internet Explorer 6 (though going through proxy out to the Internets), unpatched Win 2008R2, admin login, the works...
Errm, "Simantec"? I thought Siemens made WinCC?
Close enuff: SIMATIC WinCC
"Simatec WinCC "
Wrong.
"Errm, "Simantec"? "
Also wrong (though Siemens do make WinCC).
"Symantec WinCC"
Unthinkably wrong, though Symantec did do some good initial work around Stuxnet. Langner was better in most respects though.
"Simatic WinCC"
That's more like it.
FFS, how hard can it be, if you want to look credible? I mean it's not like having to speel Vodafone right is it.
In an ideal security situation the nuclear facilities systems would be locked down and uncrackable, but security measures usually effects the day to day operations and sow a false sense of security.
I'd prefer the guys stood next to the the hot bits to have full and unfettered access for speed and ease.
After all I'd hate the world to end to the words "Whats the soddin' password!"
"I'd prefer the guys stood next to the the hot bits to have full and unfettered access for speed and ease."
In a world where you need a 4-digit code to enter the shared laundry room, I think that we can perhaps expect the nuclear reactor control room to at least adopt a similar level of security to the machine you use to clean your y-fronts.
Car maker cheats to meet emmissions tests. Board never asks how they passed the tests as long as the cars sell.
Newspaper hacks voicemail to scoop exclusive celebrity gossip. Board never questions their sources as long as the papers sell.
Banks mis-sell PPI, sub-prime loans, etc and collapse the global economy. Board turned a blind eye as long until the whole scam collapsed.
Its time that executives were held criminally responsible for the wrong doing that happens on their watch. Pleading "I didn't know!" should result in jail-time for corporate negligence.
Banks mis-sell PPI, sub-prime loans, etc and collapse the global economy.
Would never work without state-supported bubble economics and bailout money.
The fish rots. But economic policies are powerful rot accelerators.
(As a side note the "repeal of tax credits" comes to mind, I dunno. Politicians are even too chicken to call a tax increase a "tax increase")
@Red Bren
Don't forget the engines still pass the stringent US tests. Just like the others VW built the engines to pass the emission tests which it did. The test should have been more robust.
Same applies to this story, governments set regulations & the nuke operators do the bare minimum to pass those regulations, exceeding them, no matter how safer or practical will cost them more money and raises the risk of not passing the regulation now or in the future. For example how do they meet a requirement for a modern monitoring, alerting & management system if the required sensors & reporting systems are air gapped from each other? At some point somewhere in the plant some data needs to cross the net. Nuke plant master melt down alarm needs to alert someone.
The cars do not pass the tests. The test is that a company representative provides a test vehicle and signs under of penalty of perjury that the emissions will be the same as when production cars are driven by customers. The test is a legal test, not a technological one. There is no technological test that can detect a sufficiently rigged test article. The US EPA should set up roadblocks at State borders and randomly test cars, but they are not run by competent scientists.
One way data connections are easy to create. For example, install only the outgoing half of a fiber optic cable, and fill the receiver with black glue.
"One way data connections are easy to create. For example, install only the outgoing half of a fiber optic cable, and fill the receiver with black glue."
How on earth is that supposed to work in the era when everybody assumes the availability of TCP or similar, and TCP assumes the availability of bidrectional signalling)? As does any other networking protocol which wants stuff to be acknowledged after the receiver has dealt with it?
There are sensible options. For most purposes, that isn't one of them.
This is just an attention grabbing headline, that simply reflects the need to get executive-level personnel to ask questions and to be prepared to spend some money...
I would have more concerns if the IT Security experts, employed to address IT security issues were unaware of the security issues such as unauthorised VPNs and/or hadn't implemented security systems to detect and prevent such access.
Some time ago, got to be at about 20 years, I was involved in putting in an Energy Management System for the late lamented BNFL. Due to some incompetence of the prime contractor for Sizewell B that was being constructed at the time, we almost scrammed the reactor.
Said top-notch boffin saw that we had established connectivity to the mock-up test rig at Sisewell. We were behind schedule (way be hand schedule) and left the test rig our end running through a whole suite of automated tests overnight. This being the Nuclear industry, they could afford the very best VAX kit in a clustered environment, with a wonderful custom made teak and mahogany desks, but not a lock for the computer room.
Well, the Americal white coated to boffin thought that, as we had a connected pc, he could rip it apart and clone all the other PC's from the hard disk. Which he duly did. And then powered all 8 of them on. All with the same network address.
The protocol was designed to check and double check that the reactor unit was going to do what you told it. So there was multiple challenge/responses, designed to ensure that there were no mistakes.
Boffin issued his first command. "Show Status". Reactor mockup says "I think you asked me to show status". PC 1 says "YES". PCs 2-8 all respond "What? no.". Reactor "Are you sure, you asked me to show status". PC 1 says "Yes, get on with it". PCs 2-8 all respond, "Sorry Squire, not us. You are under attack". Reactor: "Ok, I am under attack SCRAMM"
And that was when I got paged as to why I my companies software had tried to shut down East Anglia.
i gave you an up vote for the story but can't help but to see a flaw in the network if it allowed all those cloned machines on with the same address... there should have been some nasty collisions going on preventing all but one from accessing properly... like one sees today with ip addresses when they get hijacked by another system ;)
There is relatively little at the network level to prevent multiple machines having the same IP address. Indeed, it is often advantageous when it comes to clustering.
On Ethernet, it is possible for machines to independantly have the same IP address. Each ARP request will result in multiple replies reaching the requesting host. Which machine the requestor believes has the IP address depends on the order in which the ARP responses are received.
The warnings you refer to are likely to be the host operating system doing a sanity check before trying to use an IP address.
Whilst there is some protection available on modern enterprise grade switches, this is often not enabled.
I was also a bit mystified by the statement "the commercial benefits of internet connectivity mean[s] that nuclear facilities" are increasingly networked." but James Micallef beat me to it. (in Re: Why are industrial control systems designed by babes in the woods?) So I'll ask the point directly; what are the commercial benefits?
Could an (the?) underlying problem be that when the internet connectivity was being designed and implemented the possiblity of malicious action being taken was not properly understood? I don't want to trigger an argument about public versus private ownership but there has to be a real possibility that simple commercial pressures meant that the connectivity was to the minimum practicable standard (i.e. the cheapest) rather than one that was properly fit for purpose; public ownership might have been less concerned about cost considerations, assuming of course that the risks were understood.
At the same time I am more than a little horrified by I am Spartacus's point ("Experience at the sharp end") that someone could so easily tamper with a mission critical system. Had the person concerned no idea about the possible consequences of his actions? Use of the word "boffin" might support that thought. At the same time the system clearly had no mechanisms in place to stop unauthorised access to them.
Hanlon's Razor tells us Never attribute to malice that which is adequately explained by stupidity and I suspect that the interfering boffin was a textbook example of that, but it should have served as a warning; we are not told if further security measures were put in place as a result of this meddling.
At the same time Einstein stated Only two things are infinite, the universe and human stupidity, and I'm not sure about the former and this tenet should be enough to ensure that system design tries to take account of not only the fool but the bloody fool as well.
I am tempted to suggest that all this boils down to regulatory failures; if Regulators took a properly tough stance then the risks of system compromise via internet connectivity could and would be greatly reduced, but of course that would require the Regulators to (a) themselves be properly aware of the risks of cyber insecurity, (b) have to appropriate powers available to them to do something about it, and (c) actually know what the nuclear companies are up to in terms of connectivity.
Still leaves the question of "why" though.
I don't want to trigger an argument about public versus private ownership but there has to be a real possibility that simple commercial pressures meant that the connectivity was to the minimum practicable standard (i.e. the cheapest) rather than one that was properly fit for purpose; public ownership might have been less concerned about cost considerations, assuming of course that the risks were understood.
I think you are missing the point made earlier by James Metcalf, and one that has been increasingly forgotten: When the control systems were built, the idea that anyone would be daft enough to connect them to a network where members of the public could access them was unthinkable - in part because such a network didn't exist, and was (at the time) the merest science-fiction.
So it's not a question of being built down to a price, it's simply a (wholly understandable) failure of imagination.
In exactly the same way, the protocols used for the internet such as TCP/IP, DNS, SMTP were never built with security in mind, simply because nobody considered the possibility that these things could be used maliciously.
Um; I don't think I am missing the earlier point. I would certainly agree that:
When the control systems were built, the idea that anyone would be daft enough to connect them to a network where members of the public could access them was unthinkable - in part because such a network didn't exist, and was (at the time) the merest science-fiction.
So it's not a question of being built down to a price, it's simply a (wholly understandable) failure of imagination.
My point was not that the failure was when the control systems were originally designed; if something was then "unthinkable" then no - one can sensibly be blamed for not thinking it. The failure was later, when someone decided the connection to a public network was a good idea. They were entering the realm of Donald Rumsfeldt's "unknown unknowns" and should have though long and hard think about some of the possible implications; it was at that stage that any penny - pinching occured.
Typical, in a way; "there are benefits to having external connectivity on a public network" without any corresponding "what risks might arise?"
My point was not that the failure was when the control systems were originally designed; if something was then "unthinkable" then no - one can sensibly be blamed for not thinking it. The failure was later, when someone decided the connection to a public network was a good idea. They were entering the realm of Donald Rumsfeldt's "unknown unknowns" and should have though long and hard think about some of the possible implications; it was at that stage that any penny - pinching occured.
Ah, right, sorry, I misunderstood your point.
I agree completely, that whoever thought connecting such infrastructure to the internet without very strict safeguards was a fool, or just incompetent, or, as you say, working to an unrealistic budget.
Sadly, it's normally a decree from on high, from someone with no understanding of the ramifications, which causes these things to happen.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
