Internet Security Systems - AlertCon(TM)

Going Nuclear - Cyber-threats for Nuclear Power Plants

Posted by Gunter Ollmann on December 15, 2008 at 6:58 PM EST.

Last week I was lucky enough to be invited to an IBM run Nuclear Advisory Council up in Chicago to talk about cyber security. It was a C-level event with many of the largest nuclear power generation, design, and plant construction companies in the world attending – all working together tackling the latest demands and concerns within this rapidly evolving industry.

Even though I unluckily had the last speaking slot of the day – standing between the attendees and a nice seafood dinner – the discussion of cyber-security in the context of nuclear power production had everyone’s riveted attention. Bear in mind that while the folks that make up the advisory council may not be cyber-security experts, they are certainly security aware and are only too cognizant of the threats out there that can affect the safe and secure operation of a nuclear plant.

From my own perspective, it was a great learning experience. The nuclear power generation business is about to undergo phenomenal change as demand for the cleanest sources of power force an industry that has been largely stagnant for the last 30 years to suddenly become a critical factor in solving the growing power requirements of North America, and meeting global greenhouse gas quotas.

It looks probable that we will soon see the approval to build the first new nuclear power plants in the US in over thirty years, and that we’re probably looking at something like 50 new plants being built over the next couple of decades. Worldwide there are already several new next-generation nuclear power plants under construction – and we’re probably going to see something in the region of 200 brand new plants being built worldwide over the same period of time.

As you’d expect, these new nuclear plants are quite a bit different from those existing 30 year-old monsters. They’re going to be smaller, safer, and more secure. They’ll also be using all the latest computing and processing technologies… which is where all that cyber-security suddenly becomes pretty important.

But, before I dive in to that hornets’ nest, perhaps I’ll give you a taste of the content I presented and discussed with the council...

Pentesting Nuclear Plants

As you’d expect, the X-Force has been involved for a number of years helping to assess and secure the technologies and network protocols used within nuclear power plants, and the professional security services (PSS) teams have conducted numerous penetration tests – so we’ve have amassed quite a bit of expertise in the field.
From our experience, there are quite a few (fundamental) security flaws that regularly appear in these types of security assessment. (btw PCS = Process Control System)

And here’s a high-level breakdown of them:

The Threat Landscape

The majority of the discussion was about the threat landscape and the growing number of attack vectors as nuclear plants become more “networked” and integrated. Today, most of the older nuclear plants are relatively secure due to substantial air-gaps between the control/office infrastructure and the power generating infrastructure – however, that is changing, and will be quite different compared to the future generation of nuclear power plant.

From an attack perspective, there are quite a few vectors, and we discussed the significance of them from a threat impact and protection perspective.

Some of the more interesting discussions (accompanied by the deepest furrows of brows) related to the evolving criminal threat landscape and the new motives behind attack – in particular, the commercialization of hacking services.

That said, one of the (potential?) threats that was entirely new to the panel was the growing use of social networks and collaborative attack suites to target “common causes”. We’ve already seen these classes of attacks in the past – where a particular online community bands together to use their systems as part of a collective attack (such as the attacks earlier this year by Chinese netizens attempting to DDoS CNN because of their coverage of protests around the Olympic torch travels).

We'll likely see more social network sites and other community boards bring together diverse groups of people to “fight” a common cause – whether that be news coverage of torch relays, abortion clinics, or drug testing clinics – and wielding cyber-attack tools to cause some degree of damage (and subsequent media attention). As you’re probably only too aware, nuclear power generation certainly has its own set of detractors, and the prospect of them banding together globally to launch coordinated cyber-attacks is quite a concern.

Another topic that raised some discussion was that of the use of wireless technologies. Nuclear power plants are increasingly relying upon wireless technologies such as RFID, WiFi, Wimax, Bluetooth, etc. for use within plant sensors and actuators – and will be more reliant upon these technologies in the future. So flaws in these technologies – whether they be vulnerability, eavesdropping or disruption based – are  a key concern.

Some of the attendees looked a little shocked when I mentioned that, while most of these technologies are only meant to operate efficiently over a few hundred meters (maximum), active research in this area and the use of high-gain antenna’s have seen people (reliably?) reaching the multi-mile range.

That looks to be an immediate concern (I suspect they were under the assumption that even a wireless intruder would have to be within the nuclear power station compound (which is typically surrounded by big walls and guys carrying big guns – and can access even bigger guns if they need them) – rather than someone camped out on an overlooking hill 10 miles away).

Nuclear Pain

Although we talked about the cyber-threat angle for quite some time, it’s important to realize that the entire Nuclear Energy and Utilities industry is facing multiple constraints and pain points. For example, some of the topics that appeared throughout the day were:

  • Aging workforce and assets,
  • Environmental constraints,
  • Stringent Regulatory and Policy compliance constraints,
  • Security and safety,
  • Financial markets expectations,
  • Escalating fuel costs,
  • And customer expectations.

So, while security is a huge factor – perhaps the most pressing for the nuclear industry is that of their aging workforce.  Given that the last nuclear power plants were built around 30 years ago, many of the experts in this area are coming up for retirement. It was even stated that approximately 50 percent of that experienced workforce will be retiring within the next 5 years… which happens to be before the first new plants in the US are expected to start actually generating power. So education is a big problem – from both a skills transfer and a certification perspective. And here I was thinking that IT Security has it tough on the education front.

What about the terrorists?

Perhaps one of the most expected questions (and subsequent discussions) revolved around the terrorist threat, and we spent the final moments of the talk discussing cyber-terrorism or, more precisely, the lack of it (it was also a conversation that extended for quite some time over the dinner).

Given the relative ease of gaining access to the tools necessary to launch cyber-attacks against nuclear power plants, and the growth of hacking-as-a-service business models, I think we’re all a bit flummoxed as to why we haven’t actually heard about any successful cyber-terrorist attacks (well, attacks that have actually made it to the news media, that is).

Why is that? Don’t the terrorists have the same access to hacking resources?
I don’t have ananswer to that question, but there are likely to be several factors at play:

  1. How would we know? The majority of nuclear plants don’t have the capability to monitor most attack vectors – so unless it was an obvious disruptive attack (and couldn’t be attributed to some other mechanical failure or gremlin) it would likely be missed.
  2. Where’s the money in it? While you can “rent-a-hacker” through any number of sources, it’s still got to be worth the effort of the hacker. The probability that an entire countries government may be prepared to mobilize and come after you – the hacker – means that the risks are extremely high, and the financial reward just isn’t there. Hackers aren’t dumb! Even those teenage bedroom security warriors know that they’d get in deep dodo if anyone even thought they were responsible for helping hack a nuclear power plant. 
  3. What damage can you actually do with a hack? Nuclear power plants don’t go boom – and there isn’t going to be toxic radioactive goo plastered over the landscape – no matter how hard you hit your keyboard.
  4. Is it worth the effort? There are easier ways for terrorists to achieve the same end. If the objective is to cause widespread power disruptions and outages, then the simultaneous crashing of a few cars in to various power distribution centers would achieve that.
  5. To a large extent, today’s nuclear plants aren’t really networked extensively enough – at least not to a level necessary to gain “full control” of every facet of a plant. That said, in the future that could change as plant infrastructure becomes more interconnected – but we’ll also see a greater proliferation of protection solutions.

It was an interesting day of discussion, and I think I dodged most of the follow-up action items :-)

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.