Annual mmit
The cyber security attack on Friday has highlighted the vulnerability of UK national infrastructure to malicious cyber threats.
The cyber security attack on Friday has highlighted the vulnerability of UK national infrastructure to malicious cyber threats.
So far it is the
impact on the NHS that has hit the headlines. But it could be far worse: what if
it were our nuclear power plants that were disrupted?
Next week- from
22 to 24 May - the Vienna –based World
Institute for Nuclear Security (WINS) , headed by the former head of security at Sellafield, Dr
Roger Howsley, is participating in the 2nd Annual Industrial Control Cyber Security
Nuclear Summit, in Warrington, organised by Cyber Senate entitled
with an important presentation entitled“Transformation, Preparedness and Developing Cyber Security Assurance”. ((https://www.wins.org/index.php?article_id=263&id=258&bid=8))
It is instructive to listen to the words of Russian cyber security expert, Eugene Kasperksy, founder and ceo of the Moscow-based Kasperksy Labs, warns governments engaged in cyber warfare that "everything you do - it's a boomerang: it will get back to you."
(http://www.independent.co.uk/life-style/gadgets-and-tech/news/russian-nuclear-power-plant-infected-by-stuxnet-malware-says-cybersecurity-expert-8935529.html))
It is instructive to listen to the words of Russian cyber security expert, Eugene Kasperksy, founder and ceo of the Moscow-based Kasperksy Labs, warns governments engaged in cyber warfare that "everything you do - it's a boomerang: it will get back to you."
(http://www.independent.co.uk/life-style/gadgets-and-tech/news/russian-nuclear-power-plant-infected-by-stuxnet-malware-says-cybersecurity-expert-8935529.html))
Four years ago
he warned that Russian nuclear power plant infected by Stuxnet malware programme
- widely believed to have been created by the US and Israel - had infected a
Russian nuclear power plant, Speaking at the Canberra Press Club 2013 in
Australia’s capital city ((http://youtu.be/6tlUvb26DzI))
Kasperksy recounted a story from “the Stuxnet time” when a friend of his
working in an unnamed nuclear power plant reported that the plant’s computers
were “badly infected by Stuxnet”.
Kaspersky criticized government departments responsible for engineering cyber-attacks, The Stuxnet virus was first discovered in June 2010 and was found to specifically target industrial control systems manufactured by Siemens.
The initial target of the virus is widely thought to have been the centrifuges used in Iran’s uranium enrichment programme. Although the goal of the virus was extremely specific, its method of proliferation was indiscriminate and the code has since been found on computers across the world.
Kaspersky criticized government departments responsible for engineering cyber-attacks, The Stuxnet virus was first discovered in June 2010 and was found to specifically target industrial control systems manufactured by Siemens.
The initial target of the virus is widely thought to have been the centrifuges used in Iran’s uranium enrichment programme. Although the goal of the virus was extremely specific, its method of proliferation was indiscriminate and the code has since been found on computers across the world.
According to a
report from the New York Times in 2012,
the US administration under Obama chose
to continue cyber-attacks against Iran even after the existence of Stuxnet
became public. Discussing the use of cyber-warfare by nation states, Kaspersky
said: “They don’t understand that it’s possible to shut down power
plants, power grids, the space station. They don’t know what to do.”
Kaspersky also claimed that even the International Space Station (ISS) is not immune to viruses, although he did not indicate that it was Stuxnet that had made its way on board.
“The space guys from time-to-time are coming with USBs, which are infected,” said Kaspersky. “I'm not kidding. I was talking to Russian space guys and they said, 'yeah, from time-to-time there are viruses on the space station.’”
Although this may sound alarming it’s not unprecedented. In 2008 Nasa admitted that a virus designed to steal passwords had found its way on to the Windows laptops being used on the ISS.
"This is not the first time we have had a worm or a virus," said NASA spokesman Kelly Humphries at the time. "It’s not a frequent occurrence, but this isn’t the first time." The virus in question only affected computers used by astronauts for non-essential business such as email and science experiments, and is widely thought to have been brought on board – as Kaspersky suggests – with an infected USB stick.((http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=2&_r=2&seid=auto&smid=tw-nytimespolitics&pagewanted=all&)>
Here is what the US nuclear industry lobby group, the Nuclear Energy Institute says about nuclear cyber-security
Plant <
“Computer systems that help operate nuclear reactors and their safety equipment are isolated from the Internet to protect against outside intrusion. However, the nuclear industry takes measures to ensure that its nuclear plants are protected from cyber attacks.
Although the September 11 terrorist attacks had no cyber component, the nuclear energy industry took the initiative following those events to implement a cyber security program. The industry formed a task force, which developed comprehensive guidelines for protecting against cyber vulnerabilities. The NRC endorsed the industry guidelines in 2005. By May 2008, all operating nuclear plants had implemented the guidelines voluntarily.(http://www.nei.org/Issues-Policy/Safety-Security/Plant-Security)
The US nuclear safety regulator, the Nuclear Regulatory Commission (NRC) security rule (http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/) issued in 2009 required enhancements to cyber security (http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html) at nuclear power plants.
Kaspersky also claimed that even the International Space Station (ISS) is not immune to viruses, although he did not indicate that it was Stuxnet that had made its way on board.
“The space guys from time-to-time are coming with USBs, which are infected,” said Kaspersky. “I'm not kidding. I was talking to Russian space guys and they said, 'yeah, from time-to-time there are viruses on the space station.’”
Although this may sound alarming it’s not unprecedented. In 2008 Nasa admitted that a virus designed to steal passwords had found its way on to the Windows laptops being used on the ISS.
"This is not the first time we have had a worm or a virus," said NASA spokesman Kelly Humphries at the time. "It’s not a frequent occurrence, but this isn’t the first time." The virus in question only affected computers used by astronauts for non-essential business such as email and science experiments, and is widely thought to have been brought on board – as Kaspersky suggests – with an infected USB stick.((http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=2&_r=2&seid=auto&smid=tw-nytimespolitics&pagewanted=all&)>
Here is what the US nuclear industry lobby group, the Nuclear Energy Institute says about nuclear cyber-security
Plant <
“Computer systems that help operate nuclear reactors and their safety equipment are isolated from the Internet to protect against outside intrusion. However, the nuclear industry takes measures to ensure that its nuclear plants are protected from cyber attacks.
Although the September 11 terrorist attacks had no cyber component, the nuclear energy industry took the initiative following those events to implement a cyber security program. The industry formed a task force, which developed comprehensive guidelines for protecting against cyber vulnerabilities. The NRC endorsed the industry guidelines in 2005. By May 2008, all operating nuclear plants had implemented the guidelines voluntarily.(http://www.nei.org/Issues-Policy/Safety-Security/Plant-Security)
The US nuclear safety regulator, the Nuclear Regulatory Commission (NRC) security rule (http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/) issued in 2009 required enhancements to cyber security (http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html) at nuclear power plants.
“All companies
that operate nuclear plants or seek to license new plants have developed and
submitted plans for cyber security, including requirements pertaining to
individuals who have electronic means to interfere with plant safety, security
or emergency preparedness functions or critical equipment that supports those
functions”
(Cyber Security in Digital Instrumentation and Controls – an NRC briefing
http://www.nrc.gov/about-nrc/regulatory/research/digital/key-issues/cyber-security.html)
(Cyber Security in Digital Instrumentation and Controls – an NRC briefing
http://www.nrc.gov/about-nrc/regulatory/research/digital/key-issues/cyber-security.html)
Key Points according to NRC are:
* The U.S. Nuclear Regulatory Commission (NRC) has extensive
regulations for cyber security protection at nuclear energy facilities.
Regulatory oversight by other agencies is unnecessary and would duplicate the
already-strict NRC oversight.
* The nuclear energy industry implemented a cyber security program in 2002 to protect critical digital assets and the information they contain from sabotage or malicious use. The industry has been strengthening its response in the years since.
* The NRC in 2009 established regulations for cyber security at commercial reactors, even though critical computer systems used to control nuclear energy facilities are not connected to the Internet.
* The industry has worked with federal regulators—including the NRC, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC)—to ensure that digital assets are fully protected. FERC initially proposed rules to cover portions of a nuclear energy facility, but reversed its stance when it found that the NRC’s cyber security rulemaking covers the entire facility.
NRC stresses that “Nuclear facilities use digital and analog systems to monitor and operate equipment, and to obtain and store vital information. Analog systems do their job by following “hard-wired” instructions, while digital computer-based systems follow instructions (software) stored in memory. In addition, many plant computer systems are now linked to digital networks that extend across the plant, performing safety, security and emergency preparedness functions. Protecting these critical digital assets and the information they contain from sabotage or malicious use is called cyber security. All power reactor facilities licensed by the NRC must have a cyber security program.”
* The nuclear energy industry implemented a cyber security program in 2002 to protect critical digital assets and the information they contain from sabotage or malicious use. The industry has been strengthening its response in the years since.
* The NRC in 2009 established regulations for cyber security at commercial reactors, even though critical computer systems used to control nuclear energy facilities are not connected to the Internet.
* The industry has worked with federal regulators—including the NRC, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC)—to ensure that digital assets are fully protected. FERC initially proposed rules to cover portions of a nuclear energy facility, but reversed its stance when it found that the NRC’s cyber security rulemaking covers the entire facility.
NRC stresses that “Nuclear facilities use digital and analog systems to monitor and operate equipment, and to obtain and store vital information. Analog systems do their job by following “hard-wired” instructions, while digital computer-based systems follow instructions (software) stored in memory. In addition, many plant computer systems are now linked to digital networks that extend across the plant, performing safety, security and emergency preparedness functions. Protecting these critical digital assets and the information they contain from sabotage or malicious use is called cyber security. All power reactor facilities licensed by the NRC must have a cyber security program.”
Cyber Security Requirements After 9/11
The NRC explains:
“Shortly after the terrorist attacks of Sept. 11, 2001, the NRC ordered its nuclear power plant licensees to enhance their overall security. The order included specific requirements for addressing certain cyber security threats and vulnerabilities. The order contains sensitive information and is not available to the public,
In October 2004, the NRC again addressed cyber security concerns by publishing a self-assessment tool for use by nuclear power plants. In 2005, the NRC also endorsed a programme developed by the Nuclear Energy Institute to help nuclear power reactor licensees establish and maintain cyber security programs at their facilities. Additional cyber security guidance was published in January 2006 and March 2007. It included specifics for designing, developing and implementing protective measures for digital instrumentation and controls used in nuclear safety-related applications.
“Shortly after the terrorist attacks of Sept. 11, 2001, the NRC ordered its nuclear power plant licensees to enhance their overall security. The order included specific requirements for addressing certain cyber security threats and vulnerabilities. The order contains sensitive information and is not available to the public,
In October 2004, the NRC again addressed cyber security concerns by publishing a self-assessment tool for use by nuclear power plants. In 2005, the NRC also endorsed a programme developed by the Nuclear Energy Institute to help nuclear power reactor licensees establish and maintain cyber security programs at their facilities. Additional cyber security guidance was published in January 2006 and March 2007. It included specifics for designing, developing and implementing protective measures for digital instrumentation and controls used in nuclear safety-related applications.
In March 2009, the NRC issued a new cyber security rule. This new section of the NRC Code of Federal Regulations, “Protection of Digital Computer and Communications Systems and Networks” (10 CFR 73.54), affected existing nuclear power reactor licensees and those corporations applying for new reactor licenses. The new regulation requires licensees to submit a new cyber security plan and an implementation timeline for NRC approval. The plan must show how the facility identified (or would identify) critical digital assets and describe its protective strategy, among other requirements.
In January 2010, the NRC published a Regulatory Guide that
provides comprehensive guidance to licensees and applicants for licenses on an
acceptable way to meet the requirements of 10 CFR 73.54. The guidance includes
recommended best practices from such organizations as the International Society
of Automation, the Institute of Electrical and Electronics Engineers, and the
National Institute of Standards and Technology, as well as guidance from the
Department of Homeland Security. This guide is publically available.)
The NRC has taken measures to maintain effective cyber protection measures, including maintaining equipment listed in the plant configuration
management program and ensuring changes to the equipment are performed in a
controlled manner. A cyber security impact analysis is performed before making
changes to relevant equipment. The effectiveness of cyber security controls is
periodically assessed, and enhancements are made where necessary. Vulnerability
assessments are performed to ensure that the cyber security posture of the
equipment is maintained.
Two years ago the United Nations nuclear watchdog body, the International Atomic Energy Agency (IAEA), held an international conference on Computer Security in a Nuclear World, at its Vienna headquarters (http://www-pub.iaea.org/iaeameetings/46530/International-Conference-on-Computer-Security-in-a-Nuclear-World-Expert-Discussion-and-Exchange)
Two years ago the United Nations nuclear watchdog body, the International Atomic Energy Agency (IAEA), held an international conference on Computer Security in a Nuclear World, at its Vienna headquarters (http://www-pub.iaea.org/iaeameetings/46530/International-Conference-on-Computer-Security-in-a-Nuclear-World-Expert-Discussion-and-Exchange)
The IAEA) has
urged a global response to cyber attacks on nuclear facilities as concerns rise
over the irreversible consequences of such incidents “Reports of actual or
attempted cyber-attacks are now virtually a daily occurrence,” said IAEA
Director General Yukiya Amano on Monday at the first International Conference
on Computer Security in a Nuclear.The IAEA chief added that “the nuclear
industry has not been immune. Last year alone, there were cases of random
malware-based attacks at nuclear power plants, and of such facilities being
specifically targeted.”
In an interview with Iranian Press TV, Director of the IAEA Division of Nuclear Security, Khammar Mrabi, said the conference aims to establish a “sustainable nuclear security” for all member states.
“We are here to help all out member states in an inclusive manner to establish an effective and sustainable nuclear security, including computer security,” he said.
In an interview with Iranian Press TV, Director of the IAEA Division of Nuclear Security, Khammar Mrabi, said the conference aims to establish a “sustainable nuclear security” for all member states.
“We are here to help all out member states in an inclusive manner to establish an effective and sustainable nuclear security, including computer security,” he said.
The director of the Telecommunication Development Bureau of the International
Telecommunication Union (ITU) also told Press TV that the main objective of the
participants in the event is to precipitate a culture transformation with
regard to the mounting threat of cybercrime and cyber-terrorism.
The most important aim of the conferencewas to change the dominant culture from cyber insecurity to "cyber peace," said Brahima Sanou. (“IAEA urges action on cyber threats to nuclear facilities,” IAEA news service, June 2, 2015 )
The most important aim of the conferencewas to change the dominant culture from cyber insecurity to "cyber peace," said Brahima Sanou. (“IAEA urges action on cyber threats to nuclear facilities,” IAEA news service, June 2, 2015 )
The recently
published WINS report, “Security of IT and IC at Nuclear Facilities,” warns “If vendors are permitted to have remote
access to [nuclear ] plants systems for support and maintenance purposes there
needs to be an adequate level of endpoint security. This includes access
controls for the remote equipment used
for support and physical control over use of that equipment.”
It adds
importantly:
“Such remote
connectivity should be temporary, protected via Virtual Private Network (VPN)
technologies and established as need, and
terminated when no longer required.” The last point cannot be stressed
enough, for if a VPN connection is left open, it would allow the air gap
between internal and external computer systems to be circumvented.
The Warrington
Cyber summit summarises its aims as follows: “All stakeholders have a new
responsibility in ensuring the safety, reliability and stability of our
Critical National Infrastructure. Public and Private partnerships are paramount
and information sharing on an international level is of priority. The
conference consists of presentations and debate from some of the Nuclear energy
industry’s leading end users from Operational and IT backgrounds, Government
influencers, leading cybersecurity authorities and some of the world’s most
influential solution providers. The event will focus on areas of
vulnerability, threat detection, mitigation, and planning for the nuclear
sector.”(http://industrialcontrolsecuritynuclear.com/)
Britain’s Office
for Nuclear Regulation (ONR), responsible for nuclear security and safety, is
participating. It is very timely indeed
Very informative. Cyber security program for demanding positions in public and private sectors overseeing, operating, or protecting critical computer systems, information, infrastructures, and communications networks from cyber crime, cyber fraud, and cyber espionage.
ReplyDeleteNice article about Cyber threats, Thanks for sharing helpful information, what is endpoint device definition from Comodo it secure all devices connected on the corporate network.
ReplyDelete