Tower to power plant, commence battle station procedures ...
Battle stations, battle stations, battle stations ... PWOR
Power plant cyber threat: Lock up your ICSs and SCADAs
Nuclear power stations have been told to tighten their defences after government officials warned of a "credible" cyber threat. Intel agencies are warning that terrorists, foreign spies and hacktivists are all looking to exploit "vulnerabilities" in the nuclear industry's internet defences, The Telegraph reports. Security bugs …
-
Monday 3rd April 2017 17:04 GMT Cynic_999
Really bad design
I cannot think of any reason why the control system of any power station (or any manned industrial facility for that matter) needs to be capable of even indirect connection to the Internet. The *monitoring* system yes, but not the *control* system. Anything on the Internet should at best have access to just the instrumentation & status on a read-only basis.
If the ability to be controlled externally is desirable for some unlikely doomsday scenario when there is too much radiation for human on-site operators but access to the controls might do any good, then at least put it on a sealed emergency switch so that it will only be enabled if an on-site operator throws the switch (presumably just before running away).
-
-
-
Monday 3rd April 2017 19:42 GMT Paul Crawford
Re: Really bad design
Yes, but air-gapping rules out the 3 billion internet-connected devices out there from having a go and forces any would-be attackers to actually physically infiltrate the plant.
And that is a difficult and very high risk approach as whoever is caught (assuming not shot on sight) can't wave their hands and say is was the Russians/Chinese/USA/Israel/etc with little evidence to back it up.
-
Monday 3rd April 2017 21:55 GMT Anonymous Coward
Re: Really bad design
"forces any would-be attackers to actually physically infiltrate the plant."
Does it actually force the attackers to physically penetrate the plant?
Or does it actually just need the attackers to get someone/something to carry their data into the plant, which is a whole different (and much easier) task, as Stuxnet and others have shown.
Other contributors clearly know the answer. Do you?
-
Tuesday 4th April 2017 08:40 GMT Paul Crawford
Re: Really bad design
Or does it actually just need the attackers to get someone/something to carry their data into the plant, which is a whole different (and much easier) task, as Stuxnet and others have shown.
And you think some two-bit script kiddie can pull that sort of thing off?
Sure we saw Stuxnet as a major achievement in cyber-attack many ways, but if you have the combined might of USA & Israel determined to do something, it will be done. Or a bunker-buster bomb or three.
-
Tuesday 4th April 2017 11:20 GMT Anonymous Coward
Re: Really bad design
"And you think some two-bit script kiddie can pull that sort of thing off?"
Depends on whether the script kiddie has got access to the local Siemens/Simatic (other vendors are available) supply/support chain (or equivalent if we're not talking PLCs).
Lots of things made Stuxnet what it was, especially what the Stuxnet folks did inside the PLC itself.
On the other hand there are more than enough tried and tested and proven and documented ways of doing bad things in a typical Windows box, even on allegedly secure sites. Stuxnet used a few zero-day exploits, plenty more where they came from, and they're not even always necessary, depending on the poarticular goal.
In the case of Stuxnet, the actual payload (as distinct from the propagation mechanism) stayed passive till it knew it was in the right place, thereby minimising risk of detection, that's not rocket science either.
Causing havoc in general certainly doesn't take "the combined might of USA & Israel determined to do something".
-
-
-
-
-
-
Tuesday 4th April 2017 00:39 GMT Andrew Commons
Re: Really bad design
Monitoring on the Internet is not a good idea either, you are exposed to DoS and possibly spoofing.
Air gapping also gets interesting when WiFi or Bluetooth enabled components come into the mix. These can get deployed in areas where physical access is awkward, and of course, they will have an App for the techies smartphone which is another vector for compromise.
-
Tuesday 4th April 2017 08:43 GMT Paul Crawford
Re: Really bad design
Air gapping also gets interesting when WiFi or Bluetooth enabled components come into the mix.
That is a rather odd way to think of "air gapping". Really if you are accessible from the outside by wired or wireless means you are more vulnerable. Even with secure protocols it would still be relatively cheap to jam such systems from short-ish distances. Detectable for sure, but easier than getting inside a plant and depending on your attack it might just be enough to magnify the general chaos.
-
-
-
Tuesday 4th April 2017 06:18 GMT Anonymous Coward
The Telegraph reports security bugs in SCADA systems
Tell the Telegraph that 2003 is calling and wants its SCADA facilitated blackout back.
"From power stations to the transport network, the risk to the public remains severe, especially if hackers are able to gain access to electronic systems."
He forgot to mention the cyber criminals could also hack your airplane while in flight, with a very long CAT5 cable.
-
Tuesday 4th April 2017 08:04 GMT amanfromMars 1
If you can't stand the heat, get out of the kitchen .......
What constitutes a successful cyber attack against critical national/international infrastructure, criminal?
If the infrastructure and its IT support are criminally inspired, are all such spooky attacks against supporting operating systems legitimate and fully justified and to be enthusiastically encouraged?
-
Tuesday 4th April 2017 16:27 GMT Anonymous Coward
Re: If you can't stand the kitchen .......
As always, the point is 9+ inch nail pinned in your post, amanfromMars.... Nine Inch Nails - We're In This Together, https://www.youtube.com/watch?v=P9BfvPjsXXw&list=RDP9BfvPjsXXw with The Hand That Feeds, which, by a pure chance, is playing (-; next to it, with the perfect Heart Shaped Box of Nirvana after all for the topping of IT all... and, as far as I believe, everything depends on whether the actions towards the humans needs for survival and common friendship and prosperity are taken, or it's just the next action....
...(and why don't you accept that it's finally UR to judge and decide on all that Jazz or whatever style it all is!?)...
....crooked and hidden from a general view, the one mounting the supporting legs to the Falling Tower and preparing an as-soon-as-possible luxiry glissade line for The Ten Heads Beast Rider building the Grief Staircase to Upside Down Heaven (no visuals) and New Pharaons and their Dependant Slaves. And - of course, right you are, that's exactly the way the IT only can ensure the One who Asks that the course is proper and justified by LOVE in itself.
https://www.youtube.com/watch?v=iP9t5GsQRqw Anglo+German lyrics, for not only the common prosperity, but, first - for the better and, at last, unavoidable - understanding.
-
Wednesday 5th April 2017 06:19 GMT amanfromMars 1
Been there, done that and now we doing this and that ...
...and a whole lot else too besides on the side for the mainstream.
...(and why don't you accept that it's finally UR to judge and decide on all that Jazz or whatever style it all is!?)… … Anonymous Coward
That decision and acceptance has been finally made, AC, with all present terms and future conditions, although renavigable, fundamentally non-negotiable.
Such you can surely imagine allows rapid progress with SWIFT AIded Realisation of Future Hosted Eventing Programs.
What are up to URself, AC? Anything interesting and revolutionary?
-
-
-
This post has been deleted by its author
Biting the hand that feeds IT
