Cyber Security software for Nuclear Power Plants ...

http://www.cnbc.com/id/41968109

DevonWay and Scientech Announce Cyber Security Alliance Partnership ...

~~ excerpt ~~

BETHESDA, Md., Mar 08, 2011 (BUSINESS WIRE) -- U.S. Nuclear Regulatory Commission's 23rd Annual Regulatory Information Conference -- DevonWay, Inc. and Scientech, a business unit of Curtiss-Wright Flow Control Company, have formed an Alliance Partnership to deliver Cyber Security management for nuclear power plants. Under the terms of the partnership, DevonWay supplies its pre-configured CyberWay(TM) software preloaded with all controls specified in NEI 08-09 rev.6 guidelines, and Scientech bundles its nuclear engineering expertise to assist in mapping controls to assets during assessment walk-downs of digital asset at each plant. As part of 10 CFR 73.54, the Cyber Security Rule, the U.S. Nuclear Regulatory Commission has mandated that each nuclear generating plant identify and monitor the security of each critical digital asset.

~~ end excerpt ~~

Can cyber security be guaranteed?

Several things make me nervous about this. One is the recent past performance by the nuclear industry.

- The 2005 NRC endorsed guidelines. The NRC's follow up in May 2008 determined all 104 operating nuclear plants had implemented the guidelines.

However, in 2008 you still had situations like the TVA fiasco illustrating the industry alone was not up to the task of securing their systems. It took government regulatory agencies to point out gross mismanagement of security, and to later to amend guidelines and require closed computer controller systems free of entry from the internet.

~~ The GAO report to congress on the TVA Tennessee Valley Authority -- TVA Needs to Address Weaknesses in Control Systems and Networks ~~

http://www.gao.gov/new.items/d08526.pdf

~~ excerpt ~~

What the GAO found --

TVA has not fully implemented appropriate security practices to secure the
control systems and networks used to operate its critical infrastructures. Both
its corporate network infrastructure and control systems networks and
devices were vulnerable to disruption. The corporate network was
interconnected with control systems networks GAO reviewed, thereby
increasing the risk that security weaknesses on the corporate network could
affect those control systems networks. On TVA’s corporate network, certain
individual workstations lacked key software patches and had inadequate
security settings, and numerous network infrastructure protocols and devices
had limited or ineffective security configurations. In addition, the intrusion
detection system had significant limitations. On control systems networks,
firewalls reviewed were either inadequately configured or had been bypassed,
passwords were not effectively implemented, logging of certain activity was
limited, configuration management policies for control systems software were
inconsistently implemented, and servers and workstations lacked key patches
and effective virus protection. In addition, physical security at multiple
locations did not sufficiently protect critical control systems. As a result,
systems that operate TVA’s critical infrastructures are at increased risk of
unauthorized modification or disruption by both internal and external threats

~~ end excerpt ~~

Second, even with the NEI 2008-2009 revision 6 guidelines requiring closed system controller operations of nuclear energy plants, can it be guaranteed with first time software trials, to withstand a cyber attack by nation states? Are the enhanced guidelines in the 2009 NEI revisions adequate to prevent a Stuxnet type invasion by the best cyber war strategies foreign intelligence services can devise. Israel and the US are not the only intelligence services capable of a Stuxnet type worm that penetrated the Iranian closed loop computer controller systems.

~~ Links ~~

NEI enhanced 2009 requirements for Nuclear Power Plant Security
http://www.nei.org/resourcesandstats/documentlibrary/safetyandsecurity/factsheet/powerplantsecurity/?page=1

Stuxnet worm (primer)
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1

Stuxnet worm - wikipedia
http://en.wikipedia.org/wiki/Stuxnet

How secure should we feel with past recent history? I'm interested in other opinions.

Edit: for typo

My plant has no microprocessor or computer based safety systems, at either unit. All of our microprocessor based equipment is non-safety grade, and much of that is stand-alone and not networked.

I cannot speak for the other 102 plants, but many of my industry peers tell me the same thing.

are activated through human decision and physical action?

Can I ask how long has your plant been operating?

Computers do not control the daily operating function of the reactor?

No, we have both discrete digital based systems for logic (hardware AND gates, OR gates, ...) and we actually have analog computers for calculating Reactor Departure from Nucleate Boiling Ratio and Local Power Density, amongst other things.

One came on line in 1975 and the other in 1986.

No, digital computers do not control the reactor, or the main feedwater systems at either plant.

Pruning shears. For use in cutting off the wire that connects their computers to the internet.

I cannot imagine any scenario wherein the core control systems of a nuclear plant should be connected to the internet, or that they would need to be. Civilian workstations, okay. Control systems, no. If you absolutely must provide data from the plants to computers with access to the internet, and cannot possibly do it over a private network, then make it a one-way data link.

But also disabling USB drives. That is how the stuxnet worm entered the Iranian closed system that was not connected to the internet. Technicians that worked at the facility were targeted on their home systems. When they plugged in their USB's the dormant worm entered. When they went to work and popped into the system the worm then slowly was able to travel through the network laying dormant until the pre programmed situations existed, then centrifuges spun themselves to destruction while control panels were captured and corrupted to display the appearance of normal operating data.

So policy needs to be enforceable, that no outside storage devises can be used on any plant computer, in the office or in the plant. The human factor is a weak link. Imagine finding a USB in the washroom, wondering who it belongs to, plugging it into your workstation, and while it initializes it sets the worm. So definitely civilian workstations need to be isolated from control systems.