Feeds

Nuke watchdog issues cybergeddon alert

Plants at risk from hack attack

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

The United Nations' nuclear watchdog agency warned Friday of growing concern about cyber attacks against nuclear facilities.

The International Atomic Energy Agency (IAEA) announced in a statement that it is developing new guidelines aimed at combating the danger of computerized attacks by outside intruders or corrupt insiders: "For example, software operated control systems in a nuclear facility could be hacked or the software corrupted by staff with insider access," the group said.

The IAEA's new guidelines on "Security of Information Technology Related Equipment and Software Based Controls Against Malevolent Acts" are being finalized now, said the agency. The announcement came out of the agency's 48th annual general conference attended by 137 nations.

Last year, the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall.

News of the Davis-Besse incident prompted Rep. Edward Markey (D-MA) last fall to call for US regulators to establish cyber security requirements for the 103 nuclear reactors operating in the US, specifically requiring firewalls and up-to-date patching of security vulnerabilities. By that time the US Nuclear Regulatory Commission (NRC) had already begun working on an official manual to guide plant operators in evaluating their cybersecurity posture.

But that document, finalized this month, "is not directive in nature", says Jim Davis, director of operations at the Nuclear Energy Institute, an industry association. "It does not establish a minimum level of security or anything like that. That isn't the purpose of the manual."

A related industry effort will establish management-level cyber security guidelines for plant operators, says Davis, who believes industry efforts are sufficient. "I think we are taking it seriously... and I think if the industry doesn't go far enough in this area we'll see more attention from regulators."

Neither the NRC manual nor the industry guidelines will be made public.

Separately, the NRC is working on a substantial revision of its regulatory guide, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants", which sets security and reliability criteria for installing new computerized safety systems in plants. It would replace the current guide, written in 1996, which is three pages long.

A working draft of the NRC guide reviewed by SecurityFocus would encourage plant operators to consider the effect of each new safety system on the plant's cyber security, and to develop response plans to deal with computer incidents. Additionally, it would urge vendors to maintain a secure development environment, and to probe their products for backdoors and logic bombs before shipping.

Copyright © 2004, SecurityFocus logo

Related stories

UK stumps up £1.1m for cash-strapped nuke watchdog
Five lose jobs over nuke lab security debacle
US Emergency Alert System open to hack attack
US nuclear lab suspends secret work

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.