Solved by verified expert:Read the article “The Vulnerability of Nuclear Facilities to Cyber Attacks”.(http://edocs.nps.edu/npspubs/institutional/newslet… ) With the knowledge gleaned from the course, create a mind map or diagram with your defense in depth approach to securing a nuclear power plant. Use your text and open research on the Internet to assist in building your approach. You must use NIST Special Publication (800-82), security controls to support your security approach. NOTE:NO PLAGIARISM PLEASE AND REFERENCES ALSO IN APA FORMAT.
si_v10_i1_kesler.pdf
Unformatted Attachment Preview
The Vulnerability of Nuclear Facilities to Cyber Attack
Brent Kesler
Introduction
In June 2010, U.S. Senators Susan Collins, Joseph Lieberman, and Tom Carper introduced the
Protecting Cyberspace as a National Asset Act. One of its many aims is to protect critical
infrastructures in the United States from cyber attack. In January 2011, Brandon Milhorn, staff
director of the Senate Homeland Security and Governmental Affairs Committee, defended the bill,
saying that it would prevent a hacker from opening the floodgates of the Hoover Dam. Peter Soeth,
a spokesman for the US Bureau of Reclamation, the agency which manages the Hoover Dam,
objected to that example, arguing that “These types of facilities are protected by multiple layers of
security, including physical separation from the internet, that are in place because of multiple
security mandates and good business practices.”1
This dispute over the Hoover Dam demonstrates the classic pattern of debate over critical
infrastructures and their vulnerability to cyber attacks. Most of the process control systems designed
to manage critical infrastructures, such as electric grids, oil pipelines, and water utilities, use
specialized hardware and proprietary protocols. However, since the 1990s, the managers of these
infrastructures have been integrating their control systems with computer networks built from
commercial off-the-shelf operating systems, such as Windows and Unix.2 This has simplified the
task of managing facilities remotely, but it has also made process control systems vulnerable to
attack over the internet. Alarmists point to these connections as vulnerabilities that pose almost epic
threats; skeptics immediately dismiss such fears, claiming that the necessary measures to prevent a
catastrophic cyber attack have already been implemented. History suggests the truth lies somewhere
in between.
As a relatively young field, national cyber security policy has been open to speculation about
potential threats. However, in 2011, network operators have accumulated enough experience and
data from real world attacks to draw a more realistic picture of the threats facing critical
infrastructures. This paper will examine the history of cyber security incidents at nuclear facilities to
assess the extent to which recorded vulnerabilities pose an “epic” threat. Specifically, it will examine
three cyber incidents that occurred at U.S. nuclear facilities between 2003 and 2008. It will then turn
to details of the 2010 Stuxnet attack against the Iranian nuclear program to outline similarities with
the three U.S. incidents. The lessons from these four incidents suggest that situational awareness and
other security measures are too weak in their current state to guarantee that a catastrophic attack will
never happen. However, it will also argue that launching a catastrophic attack is not simple and
requires a sophisticated adversary. The article will then turn to gaps in nuclear regulation that policy
makers should consider when formulating cyber security policies, not only for nuclear facilities, but
for other critical infrastructures.
1
2
David Kravets, “No, Hackers Can’t Open Hoover Dam Floodgates” Threat Level, (Wired blog), February 3, 2011.
http://www.wired.com/threatlevel/2011/02/hoover/
Martin Stoddard et al, Process Control System Security Metrics – State of Practice, Institute for Information Infrastructure
Protection, August 2005.
Strategic Insights • Spring 2011
Volume 10, Issue 1
15
Figure 1: Highly simplified representation of a process control network
Process control systems
Historically, critical infrastructures have used two kinds of control systems: supervisory control and
data acquisition (SCADA) systems that quickly gather remote field data, and distributed control
systems (DCS) that manage automated manufacturing processes. Over time, these systems began to
share many of the same technologies and features, making them less distinct from each other.
However, given their separate histories, much of their distinct terminology remains. Other terms,
such as integrated control systems (ICS) or instrumentation and control (I&C) are also used,
depending on the traditional practice of the facilities using these systems. This paper will collectively
refer to these technologies as process control systems (PCS). 3
Process control systems come in any number of complex architectures, but a general pattern holds
for most facilities. The control network is the collection of computer systems which directly monitor
and control plant operations. At the top are the human-machine interfaces (HMI) that display data from
plant equipment and allow technicians to adjust their operations. These are often Windows or Unix
based computers. HMI communicate over a control bus with other computers that monitor and
control operations using software that is less user-friendly. These computers communicate over a
field bus with programmable logic controllers (PLC), hardware that directly adjusts the various motors,
sensors, actuators, and other physical components at the heart of a plant’s operations.4 This is a
highly simplified description of a control network; structure and terminology will vary.
Power plants also have office networks for business purposes. The office networks often collect data
from control networks and have connections with a wider corporate network over the internet.
3 Stoddard et al, PCS Security Metrics.
4 K. Korash et al. Emerging Technologies in Instrumentation and Controls: An Update. (Oak Ridge: Oak Ridge National
Laboratory, 2006), 25-28.
Strategic Insights • Spring 2011
Volume 10, Issue 1
16
Connecting control networks with business offices and the larger corporate network makes it easier
for managers to match plant operations with business goals and improve efficiency. However, it also
opens a path that malicious hackers on the wider internet could follow to the plant’s process control
systems.
Vulnerability of process control systems
Operators of process control systems used to believe they were invulnerable to cyber attack for two
main reasons. The first reason is the assumption that PCS are isolated from the internet; the second
is that PCS generally use proprietary protocols and specialized hardware not compatible with
ordinary computers and common network protocols like Ethernet and TCP/IP. These assumptions
have led some PCS operators to see the threat of a cyber attack as alarmist. For example, a 2002
article published in CIO Magazine outlines the numerous security precautions taken by the
Massachusetts Water Resource Authority (MWRA) and concludes that a cyber attack against its PCS
would have no effect:
[M]ost public utilities rely on a highly customized Scada system. No two are the
same, so hacking them requires specific knowledge — in this case, knowledge of the
MWRA’s design and access to that customized software. … Scada is not networked,
except in two places. 5
He added:
[PLCs] follow the lowest level, most basic instructions (such as turn on and turn off),
and report them to Scada … If something is wrong, the PLC says, “Help me” in the
form of an alarm. The alarm sounds at the water site and at the Scada operations
centers. The alarm also flashes on the computers, and it can’t be shut off until a
formal acknowledgement of the alarm is made and physically logged by a human
being6.
However, many operators have been moving towards open protocols and off-the-shelf hardware to
manage their process control systems, even connecting them to the internet—sometimes
inadvertently.7 These trends have made PCS vulnerable to hackers, often with dangerous results.
This fact had been demonstrated even before the MWRA article and has been repeatedly confirmed
by penetration testers hired to assess cyber security at critical infrastructures. At the 2006 Black Hat
Conference, presenters from IBM Internet Security Systems’ X-Force team outlined a penetration
test at an unnamed power plant. While meeting with plant management in a conference room, the
testing team found a unprotected wireless access point, used it to access the plant’s business
network, and from there accessed the plant’s control network using a ten-year old exploit. In XForce’s experience, only knowledge of common internet protocols was necessary to interfere with
PCS systems, but any hacker who wanted to take the extra step to learn about PCS protocols could
5 Scott Berinato. “Debunking the Threat to Water Utilities”, CIO Magazine (March 15, 2002).
http://www.cio.com/article/30935/Debunking_the_Threat_to_Water_Utilities
6 Ibid.
7 A common cause of an inadvertent connection is a “rogue access point”. Employees sometimes set up a wireless
network in their office without telling systems administrators. If the access point is not well protected, a hacker can
use it to bypass the firewalls and intrusion detection systems that administrators have set up to protect office
computers from the wider internet.
Strategic Insights • Spring 2011
Volume 10, Issue 1
17
find technical specifications online.8
Past PCS attacks have even caused physical damage to critical infrastructures. For example, in 2000 a
former contractor hacked into the Maroochy Water District’s PCS system in Queensland, Australia,
and released 80,000 liters of raw sewage into parks, rivers, and even the Hyatt Regency Hotel; the
smell drove away local residents, river water turned black, and marine life died as a result.9 In March
2007, Idaho National Laboratory conducted a test of the so-called “Aurora vulnerability”. This
vulnerability would allow an attacker at a remote high voltage circuit breaker to physically destroy a
generator by quickly opening and closing the breaker. Details of this vulnerability have been
designated “For Official Use Only” by the Department of Homeland Security.10
Cyber attacks against PCS, whether intentional or unintentional, are likely underreported. No
regulation exists requiring power plants to report problems with or attacks against their control
systems. In the case of the Aurora vulnerability, ES-ISAC (Electric Sector Information Sharing and
Analysis Center) and the Nuclear Energy Institute issued advisories that required no action.11 In
April 2009, the North American Electric Reliability Corporation (NERC) issued a letter stating that
many power companies were choosing not to identify critical assets in order to avoid complying with
cyber security standards, leaving them exposed to such vulnerabilities as Aurora.12 NERC explains
this behavior as a misconception of cyber threats; most operators do not see their own systems as
critical to the Bulk Electric System, so they fail to realize that a cyber attack could affect multiple
systems at once, and through them the power grid as a whole. In another case, an unnamed power
plant suffered a targeted attack and lost process control systems for two weeks. However, since the
attack did not disrupt power generation, the attack was not reported to government agencies.13
Process control systems at nuclear power plants
The United States has 104 nuclear power plants generating 98,000 megawatts of electricity, roughly
20% of the electricity generated within the US. These plants generally have process control systems,
often designed by the same companies that provide these systems to non-nuclear power plants.14
However, the operators of non-nuclear plants usually have better hardware and cyber security
experience than their colleagues at nuclear facilities. Since installation and upgrades of PCS are
8 David Maynor and Robert Graham. “SCADA Security and Terrorism: We’re not crying wolf”, (paper presented at the
Black Hat conference, Las Vegas, Nevada, July 29-August 3, 2006).
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
9 Marshall Abrams and Joe Weiss. “Malicious Control System Cyber Security Attack Case Study – Maroochy Water
Services, Australia” National Institute of Standards and Technology, Computer Security Resource Center (August
2008).
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf
10 Joe Weiss. “One reason why we need regulation”, ControlGlobal.com Unfettered Blog (December 18, 2008).
http://community.controlglobal.com/content/one-reason-why-we-need-regulation
11 Ibid.
12 Michael Assante. “Critical Cyber Asset Identification” (Letter to Industry Stakeholders from the North American
Electric Reliability Corporation, April 7, 2009).
http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf
13 Joe Weiss. “Control system cyber events, 60 Minutes, disclosure, and FUD”, ControlGlobal.com Unfettered Blog
(November 13, 2009).
http://community.controlglobal.com/content/control-system-cyber-events-60-minutes-disclosure-and-fud
14 Ken Barnes, Briam Johnson, and Reva Nickelson. Review of Supervisory Control and Data Acquisition (SCADA) Systems,
Idaho National Engineering and Environmental Laboratory, January 2004, page 9.
Strategic Insights • Spring 2011
Volume 10, Issue 1
18
costly and time-consuming, most non-nuclear PCS operate for eight to fifteen years, the expected
lifespan of the hardware used. However, nuclear plants face even higher costs and more stringent
safety requirements for their PCS, so they often choose to continue using their original control
systems rather than upgrade. A nuclear PCS can be in service for twenty to thirty years, well past the
life expectancy of the hardware. Many plants are still using systems based on analog electronics
rather than digital.15 This is confirmed by the experience of nuclear engineer Joe Weiss, now a
managing partner of Applied Control Solutions, a consultancy specializing in control system cyber
security. Mr. Weiss worked for five years managing a nuclear instrumentation program for the
Electric Power Research Institute (EPRI). However, nuclear plants prefer to use tested technologies
so Mr. Weiss did not get to do “bleeding edge” research until he managed EPRI’s research program
for fossil fuel plant instrumentation. This meant that nuclear plants had often adopted modern
information technology for their process control systems, but had less experience implementing
cyber security on those systems than their colleagues at other electric power plants. This experience
gap often led nuclear operators to assume they were less exposed to cyber threats than non-nuclear
power plants.16
In the past five years, US government-funded research into the cyber security of process control
systems has focused mainly on oil and gas utilities and the electric grid. While nuclear power plants
face many of the same issues in protecting their infrastructure, the key difference is the nuclear
reactor. Non-nuclear generators can be completely shutdown, but nuclear reactors run for one to
two years once the fuel is installed. Even when the reactor is “shutdown”, the fuel still produces
decay heat and must be cooled, or the reactor core may melt. The partial meltdown of Three-Mile
Island Unit 2 occurred during a reactor shutdown due to operator errors and equipment
malfunctions.17 If such errors and malfunctions can be replicated by a cyber attack, then a reactor
meltdown is possible. To determine the danger of this threat, it is necessary to examine cyber
incidents that have occurred at nuclear power plants.
Davis-Besse worm infection
On January 25, 2003, at 12:30 AM Eastern Standard Time, the Slammer worm began exploiting a
vulnerability in Microsoft SQL Server. Within ten minutes, it had infected 75,000 servers
worldwide—90% of vulnerable hosts. The design of Slammer was simple; it did not write itself to
the hard drive, delete files, or obtain system control for its author. Instead, it settled in system
memory and searched for other hosts to infect. Removing the worm was as simple as rebooting the
server after closing network port 1434, Slammer’s point of entry. Installing a patch Microsoft had
released six months earlier would eliminate the vulnerability Slammer exploited and prevent another
infection.
Although Slammer carried no malicious payload, it still caused considerable disruption. It searched
for new hosts by scanning random IP addresses. This generated a huge volume of spurious traffic,
consuming bandwidth and clogging networks. Slammer’s random IP scans disabled data-entry
terminals at a 911 call center in Bellevue, Washington (population 680,000), shutdown 13,000 Bank
of America ATMs, and forced Continental Airlines to cancel several flights when their online
15 Ibid, page 23.
16 Joe Weiss. “Nuclear plant cyber security has a ways to go”, ControlGlobal.com Unfettered Blog, March 25, 2008.
http://community.controlglobal.com/content/nuclear-plant-cyber-security-has-ways-go
17 Ronald L. Krutz. Securing SCADA Systems. (Indianapolis: Wiley Publishing, 2006), 29.
Strategic Insights • Spring 2011
Volume 10, Issue 1
19
ticketing system and kiosks could not process orders.18 South Korea suffered a nationwide internet
outage lasting half a day.19
The Slammer worm also infected computer systems at the Davis-Besse nuclear power plant near
Oak Harbor, Ohio. The worm traveled from a consultant’s network, to the corporate network of
First Energy Nuclear, the licensee for Davis-Besse, then to the process control network for the
plant. The traffic generated by the worm clogged the corporate and control networks. For four
hours and fifty minutes, plant personnel could not access the Safety Parameter Display System
(SPDS), which shows sensitive data about the reactor core collected from coolant systems,
temperature sensors, and radiation detectors—these components would be the first to indicate
meltdown conditions. Power plants are required to notify the NRC if an SPDS outage lasts longer
than eight hours.
The reactor at Davis-Besse had been offline for nearly a year before its Slammer infection due to the
discovery of a hole in the reactor head.20 Although Slammer’s scanning traffic did block sensors
from providing digital readouts to control systems, it did not affect analog readouts on the
equipment itself; plant technicians could still get reliable data from sensors by physically walking up
to them and looking at them, though this process is slower than retrieving data over a network.
Davis-Besse had a firewall protecting its corporate network from the wider internet, and its
configuration would have prevented a Slammer infection. However, a consultant had created a
connection behind the firewall to the consultancy’s office network. This allowed Slammer to bypass
the firewall and infect First Energy’s corporate network. From there, it faced no obstacle on its way
to the plant control network. In response, First Energy set up a firewall between the corporate
network and the plant control network.
The Davis-Besse incident highlighted the fact that most nuclear power plants, by retrofitting their
SCADA systems for remote monitoring from their corporate network, had unknowingly connected
their control networks to the internet. At the time, the NRC did not permit remote operation of
plant functions.21 That policy would change by 2008.
Browns Ferry shutdown
The August 19, 2006, shutdown of Unit 3 at the Browns Ferry nuclear plant near Athens, Alabama,
demonstrates that not just computers, but even critical reactor components, could be disrupted and
disabled by a cyber attack. Unit 3 was manually shutdown after the failure of both reactor
recirculation pumps and the condensate demineralizer controller.22 Without the recirculation pumps,
the power plant could not cool the reactor, making a shutdown necessary to avoid melting the
reactor core.
18 Robert O. Harrow, Jr. “Internet Worm Unearths New Holes”, SecurityFocus (January 29, 2003),
http://www.securityfocus.com/news/2186
19 Stacy Cowley and Martyn Williams. “Slammer Worm Slaps Net Down, But Not Out” PCWorld (Januar …
Purchase answer to see full
attachment
