'[ISN] Report finds many nuclear power plant systems "insecure by design"'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Report finds many nuclear power plant systems "insecure by design"
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2015-10-13 7:45:09
Message-ID: alpine.DEB.2.02.1510130744480.307 () infosecnews ! org
[Download RAW message or body]

http://arstechnica.com/security/2015/10/report-finds-many-nuclear-power-plant-systems-insecure-by-design/

By Sean Gallagher
Ars Technica
Oct 8, 2015

A study of the information security measures at civilian nuclear energy 
facilities around the world found a wide range of problems at many 
facilities that could leave them vulnerable to attacks on industrial 
control systems—potentially causing interruptions in electrical power or 
even damage to the reactors themselves. The study, undertaken by Caroline 
Baylon, David Livingstone, and Roger Brunt of the UK international affairs 
think tank Chatham House, found that many nuclear power plants' systems 
were "insecure by design" and vulnerable to attacks that could have 
wide-ranging impacts in the physical world—including the disruption of the 
electrical power grid and the release of "significant quantities of 
ionizing radiation." It would not require an attack with the 
sophistication of Stuxnet to do significant damage, the researchers 
suggested, based on the poor security present at many plants and the track 
record of incidents already caused by software.

The researchers found that many nuclear power plant systems were not "air 
gapped" from the Internet and that they had virtual private network access 
that operators were "sometimes unaware of." And in facilities that did 
have physical partitioning from the Internet, those measures could be 
circumvented with a flash drive or other portable media introduced into 
their onsite network—something that would be entirely too simple given the 
security posture of many civilian nuclear operators. The use of personal 
devices on plant networks and other gaps in security could easily 
introduce malware into nuclear plants' networks, the researchers warned.

The security strategies of many operators examined in the report were 
"reactive rather than proactive," the Chatham House researchers noted, 
meaning that there was little in the way of monitoring of systems for 
anomalies that might warn of a cyber-attack on a facility. An attack could 
be well underway before it was detected. And because of poor training 
around information sec

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic