back to article Power plant cyber threat: Lock up your ICSs and SCADAs

Nuclear power stations have been told to tighten their defences after government officials warned of a "credible" cyber threat. Intel agencies are warning that terrorists, foreign spies and hacktivists are all looking to exploit "vulnerabilities" in the nuclear industry's internet defences, The Telegraph reports. Security bugs …

Anonymous Coward

Tower to power plant, commence battle station procedures ...

Battle stations, battle stations, battle stations ... PWOR

0
0
Silver badge
Coat

Power Plant to Tower, Power Plant to Tower, requesting a fly-fy.

0
0
Anonymous Coward

Lets hope they don't learn the 3 radish technique.

0
0
Silver badge

Really bad design

I cannot think of any reason why the control system of any power station (or any manned industrial facility for that matter) needs to be capable of even indirect connection to the Internet. The *monitoring* system yes, but not the *control* system. Anything on the Internet should at best have access to just the instrumentation & status on a read-only basis.

If the ability to be controlled externally is desirable for some unlikely doomsday scenario when there is too much radiation for human on-site operators but access to the controls might do any good, then at least put it on a sealed emergency switch so that it will only be enabled if an on-site operator throws the switch (presumably just before running away).

3
0
Silver badge

Re: Really bad design

Air gapping won't stop a determined attacker. Just ask the Iranian centrifuge technician who found a brand-new USB stick in the parking lot.

5
0
Anonymous Coward

Re: Really bad design

I think the Iranian malware was introduced, probably unwittingly, by a visiting contractor. Air gapping is definitely no defense. If anything it may induce a false sense of safety.

2
0
Silver badge

Re: Really bad design

Yes, but air-gapping rules out the 3 billion internet-connected devices out there from having a go and forces any would-be attackers to actually physically infiltrate the plant.

And that is a difficult and very high risk approach as whoever is caught (assuming not shot on sight) can't wave their hands and say is was the Russians/Chinese/USA/Israel/etc with little evidence to back it up.

0
0
Anonymous Coward

Re: Really bad design

"forces any would-be attackers to actually physically infiltrate the plant."

Does it actually force the attackers to physically penetrate the plant?

Or does it actually just need the attackers to get someone/something to carry their data into the plant, which is a whole different (and much easier) task, as Stuxnet and others have shown.

Other contributors clearly know the answer. Do you?

0
0

Re: Really bad design

Monitoring on the Internet is not a good idea either, you are exposed to DoS and possibly spoofing.

Air gapping also gets interesting when WiFi or Bluetooth enabled components come into the mix. These can get deployed in areas where physical access is awkward, and of course, they will have an App for the techies smartphone which is another vector for compromise.

0
0
Silver badge

Re: Really bad design

Or does it actually just need the attackers to get someone/something to carry their data into the plant, which is a whole different (and much easier) task, as Stuxnet and others have shown.

And you think some two-bit script kiddie can pull that sort of thing off?

Sure we saw Stuxnet as a major achievement in cyber-attack many ways, but if you have the combined might of USA & Israel determined to do something, it will be done. Or a bunker-buster bomb or three.

1
0
Silver badge

Re: Really bad design

Air gapping also gets interesting when WiFi or Bluetooth enabled components come into the mix.

That is a rather odd way to think of "air gapping". Really if you are accessible from the outside by wired or wireless means you are more vulnerable. Even with secure protocols it would still be relatively cheap to jam such systems from short-ish distances. Detectable for sure, but easier than getting inside a plant and depending on your attack it might just be enough to magnify the general chaos.

0
0

Re: Really bad design

@Paul Crawford. Exactly. Educating the people who want to put this gear into these environments is not easy. But these devices are manufactured and sold by reputable players.

0
0
Anonymous Coward

Re: Really bad design

"And you think some two-bit script kiddie can pull that sort of thing off?"

Depends on whether the script kiddie has got access to the local Siemens/Simatic (other vendors are available) supply/support chain (or equivalent if we're not talking PLCs).

Lots of things made Stuxnet what it was, especially what the Stuxnet folks did inside the PLC itself.

On the other hand there are more than enough tried and tested and proven and documented ways of doing bad things in a typical Windows box, even on allegedly secure sites. Stuxnet used a few zero-day exploits, plenty more where they came from, and they're not even always necessary, depending on the poarticular goal.

In the case of Stuxnet, the actual payload (as distinct from the propagation mechanism) stayed passive till it knew it was in the right place, thereby minimising risk of detection, that's not rocket science either.

Causing havoc in general certainly doesn't take "the combined might of USA & Israel determined to do something".

0
0
Silver badge

Re: Really bad design

air-gapping rules out the 3 billion internet-connected devices out there

A nuke plant, DDOSed by the very IoT light bulbs that it is powering...

0
0
Silver badge

High-Security Mode

"However, that doesn't mean vigilance isn't due..."

Sadly, "vigilance" will probably entail changing all of the SCADA admin passwords from 1234 to 5678. Of course, the hard-coded 0000 manufacturer password will still be active.

9
0
Silver badge
Terminator

The Telegraph reports security bugs in SCADA systems

Tell the Telegraph that 2003 is calling and wants its SCADA facilitated blackout back.

"From power stations to the transport network, the risk to the public remains severe, especially if hackers are able to gain access to electronic systems."

He forgot to mention the cyber criminals could also hack your airplane while in flight, with a very long CAT5 cable.

1
0
Silver badge

If you can't stand the heat, get out of the kitchen .......

What constitutes a successful cyber attack against critical national/international infrastructure, criminal?

If the infrastructure and its IT support are criminally inspired, are all such spooky attacks against supporting operating systems legitimate and fully justified and to be enthusiastically encouraged?

0
0
Anonymous Coward

Re: If you can't stand the kitchen .......

As always, the point is 9+ inch nail pinned in your post, amanfromMars.... Nine Inch Nails - We're In This Together, https://www.youtube.com/watch?v=P9BfvPjsXXw&list=RDP9BfvPjsXXw with The Hand That Feeds, which, by a pure chance, is playing (-; next to it, with the perfect Heart Shaped Box of Nirvana after all for the topping of IT all... and, as far as I believe, everything depends on whether the actions towards the humans needs for survival and common friendship and prosperity are taken, or it's just the next action....

...(and why don't you accept that it's finally UR to judge and decide on all that Jazz or whatever style it all is!?)...

....crooked and hidden from a general view, the one mounting the supporting legs to the Falling Tower and preparing an as-soon-as-possible luxiry glissade line for The Ten Heads Beast Rider building the Grief Staircase to Upside Down Heaven (no visuals) and New Pharaons and their Dependant Slaves. And - of course, right you are, that's exactly the way the IT only can ensure the One who Asks that the course is proper and justified by LOVE in itself.

https://www.youtube.com/watch?v=iP9t5GsQRqw Anglo+German lyrics, for not only the common prosperity, but, first - for the better and, at last, unavoidable - understanding.

0
0
Silver badge

Been there, done that and now we doing this and that ...

...and a whole lot else too besides on the side for the mainstream.

...(and why don't you accept that it's finally UR to judge and decide on all that Jazz or whatever style it all is!?)… … Anonymous Coward

That decision and acceptance has been finally made, AC, with all present terms and future conditions, although renavigable, fundamentally non-negotiable.

Such you can surely imagine allows rapid progress with SWIFT AIded Realisation of Future Hosted Eventing Programs.

What are up to URself, AC? Anything interesting and revolutionary?

0
0

Re: Been there, done that and now we doing this and that ...

"What are up to URself, AC?" -

None of anything the many would have imagined, amanfromMars.

0
0
Silver badge
Joke

Product placement

> Intel agencies are warning that ...

I see your product placement. ;-)

2
0

This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017