http://www.cnbc.com/id/41968109DevonWay and Scientech Announce Cyber Security Alliance Partnership ...
~~ excerpt ~~
BETHESDA, Md., Mar 08, 2011 (BUSINESS WIRE) -- U.S. Nuclear Regulatory Commission's 23rd Annual Regulatory Information Conference -- DevonWay, Inc. and Scientech, a business unit of Curtiss-Wright Flow Control Company, have formed an Alliance Partnership to deliver Cyber Security management for nuclear power plants. Under the terms of the partnership, DevonWay supplies its pre-configured CyberWay(TM) software preloaded with all controls specified in NEI 08-09 rev.6 guidelines, and Scientech bundles its nuclear engineering expertise to assist in mapping controls to assets during assessment walk-downs of digital asset at each plant. As part of 10 CFR 73.54, the Cyber Security Rule, the U.S. Nuclear Regulatory Commission has mandated that each nuclear generating plant identify and monitor the security of each critical digital asset.
~~ end excerpt ~~
Can cyber security be guaranteed?
Several things make me nervous about this. One is the recent past performance by the nuclear industry.
- The 2005 NRC endorsed guidelines. The NRC's follow up in May 2008 determined all 104 operating nuclear plants had implemented the guidelines.
However, in 2008 you still had situations like the TVA fiasco illustrating the industry alone was not up to the task of securing their systems. It took government regulatory agencies to point out gross mismanagement of security, and to later to amend guidelines and require closed computer controller systems free of entry from the internet.
~~ The GAO report to congress on the TVA Tennessee Valley Authority -- TVA Needs to Address Weaknesses in Control Systems and Networks ~~
http://www.gao.gov/new.items/d08526.pdf~~ excerpt ~~
What the GAO found --
TVA has not fully implemented appropriate security practices to secure the
control systems and networks used to operate its critical infrastructures. Both
its corporate network infrastructure and control systems networks and
devices were vulnerable to disruption. The corporate network was
interconnected with control systems networks GAO reviewed, thereby
increasing the risk that security weaknesses on the corporate network could
affect those control systems networks. On TVA’s corporate network, certain
individual workstations lacked key software patches and had inadequate
security settings, and numerous network infrastructure protocols and devices
had limited or ineffective security configurations. In addition, the intrusion
detection system had significant limitations. On control systems networks,
firewalls reviewed were either inadequately configured or had been bypassed,
passwords were not effectively implemented, logging of certain activity was
limited, configuration management policies for control systems software were
inconsistently implemented, and servers and workstations lacked key patches
and effective virus protection. In addition, physical security at multiple
locations did not sufficiently protect critical control systems. As a result,
systems that operate TVA’s critical infrastructures are at increased risk of
unauthorized modification or disruption by both internal and external threats
~~ end excerpt ~~
Second, even with the NEI 2008-2009 revision 6 guidelines requiring closed system controller operations of nuclear energy plants, can it be guaranteed with first time software trials, to withstand a cyber attack by nation states? Are the enhanced guidelines in the 2009 NEI revisions adequate to prevent a Stuxnet type invasion by the best cyber war strategies foreign intelligence services can devise. Israel and the US are not the only intelligence services capable of a Stuxnet type worm that penetrated the Iranian closed loop computer controller systems.
~~ Links ~~
NEI enhanced 2009 requirements for Nuclear Power Plant Security
http://www.nei.org/resourcesandstats/documentlibrary/safetyandsecurity/factsheet/powerplantsecurity/?page=1Stuxnet worm (primer)
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1Stuxnet worm - wikipedia
http://en.wikipedia.org/wiki/StuxnetHow secure should we feel with past recent history? I'm interested in other opinions.
Edit: for typo