[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Report finds many nuclear power plant systems "insecure by design"
From: InfoSec News <alerts () infosecnews ! org>
Date: 2015-10-13 7:45:09
Message-ID: alpine.DEB.2.02.1510130744480.307 () infosecnews ! org
[Download RAW message or body]
http://arstechnica.com/security/2015/10/report-finds-many-nuclear-power-plant-systems-insecure-by-design/
By Sean Gallagher
Ars Technica
Oct 8, 2015
A study of the information security measures at civilian nuclear energy
facilities around the world found a wide range of problems at many
facilities that could leave them vulnerable to attacks on industrial
control systems—potentially causing interruptions in electrical power or
even damage to the reactors themselves. The study, undertaken by Caroline
Baylon, David Livingstone, and Roger Brunt of the UK international affairs
think tank Chatham House, found that many nuclear power plants' systems
were "insecure by design" and vulnerable to attacks that could have
wide-ranging impacts in the physical world—including the disruption of the
electrical power grid and the release of "significant quantities of
ionizing radiation." It would not require an attack with the
sophistication of Stuxnet to do significant damage, the researchers
suggested, based on the poor security present at many plants and the track
record of incidents already caused by software.
The researchers found that many nuclear power plant systems were not "air
gapped" from the Internet and that they had virtual private network access
that operators were "sometimes unaware of." And in facilities that did
have physical partitioning from the Internet, those measures could be
circumvented with a flash drive or other portable media introduced into
their onsite network—something that would be entirely too simple given the
security posture of many civilian nuclear operators. The use of personal
devices on plant networks and other gaps in security could easily
introduce malware into nuclear plants' networks, the researchers warned.
The security strategies of many operators examined in the report were
"reactive rather than proactive," the Chatham House researchers noted,
meaning that there was little in the way of monitoring of systems for
anomalies that might warn of a cyber-attack on a facility. An attack could
be well underway before it was detected. And because of poor training
around information sec
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic