Friday, March 04, 2005

Security? Nuclear plants don't need no stinkin' security!

A SecurityFocus post discusses the nuclear industry's reaction to a proposed voluntary standard for security of digital systems controlling nuclear power plants.

"Two companies that make digital systems for nuclear power plants have come out against a government proposal that would attach cyber security standards to plant safety systems. The 15-page proposal, introduced last December by the U.S. Nuclear Regulatory Commission (NRC), would rewrite the commission's 'Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.' The current version, written in 1996, is three pages long and makes no mention of security. The plan expands existing reliability requirements for digital safety systems, and infuses security standards into every stage of a system's lifecycle, from drawing board to retirement. Last month the NRC extended a public comment period on the proposal until March 14th to give plant operators and vendors more time to respond. So far, industry reaction has been less than glowing."

"The NRC tries to promote the use of digital technology in the nuclear power industry on the one hand, but then over-prescribes what is needed when a digital safety system is proposed," wrote one company president.

"The entire cyber security section should be deleted and only a passing reference to the subject retained," another company wrote.

"In 2003 the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours [followup and another]. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall."

"Dominion also takes exception to NRC's preference against interconnection. 'Remote access to safety system data from outside the physical plant is not necessarily a potential vulnerability,' the company wrote. 'Access to data through one-way or fixed function gateways should be allowed, assuming proper verification of the integrity of the gateway is verified.' "

You may not be concerned about connecting SCADA (Supervisory Control and Data Acquisition) systems for critical infrastructure to the Internet, where it can be probed by hackers of all sorts. It scares the hell out of me, but obviously doesn't concern Dominion.

Labels: , ,


Post a Comment