Feeds

US to tighten nuclear cyber security

Added computer security standards

  • alert
  • submit to reddit

The essential guide to IT transformation

Federal regulators are proposing to add computer security standards to their criteria for installing new computerized safety systems in nuclear power plants.

The US Nuclear Regulatory Commission (NRC) quietly launched a public comment period late last month on a proposed 15-page update to its regulatory guide "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants." The current version, written in 1996, is three pages long and makes no mention of security.

The replacement would expand existing safety and reliability requirements for digital safety system, and infuse security requirements into every stage of a system's lifecycle, from drawing board to retirement.

Last year the United Nations' International Atomic Energy Agency (IAEA) warned of growing international concern about the potential for cyber attacks against nuclear facilities, and said it was finalizing new security guidelines of its own. No successful targeted attacks against plants have been publicly reported, but in 2001 the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall.

The NRC draft advises against such interconnections. It also advises plant operators to consider the effect of each new system on the plant's cyber security, and to develop response plans to deal with computer incidents. Vendors are told how to reduce the risk of saboteurs planting backdoors and logic bombs in safety system software during the development phase.

"I really liked the notion of making people aware that they need to address security throughout the process of developing new software and systems, and not just as a test at the end," says Chris Wysopal, a Boston-based computer security researcher with the Symantec Corporation. "They talked about that going all the way back to the requirement phase, which I thought was good."

But for all its breadth, adherence to the new guidelines would be strictly voluntary for operators of the 103 nuclear reactors already running in the US - a detail that irks some security experts. In filed comments, Joe Weiss, a control systems cyber security consultant at KEMA, Inc., argued the regulatory guide shouldn't be limited to plant safety systems, and that existing plants should be required to comply.

"There have been numerous cases of control system cyber security impacts including several in commercial nuclear plants," Weiss wrote. "Many nuclear plants have connected their plant networks to corporate networks making them potentially vulnerable to cyber intrusions."

Wysopal, who reviewed the draft at SecurityFocus' request, agrees that it could use more juice. "It's kind of sad," he says. "I see that people have all these great notions of how we can build software and systems more securely, but it's always voluntary."

The NRC is accepting public comments on the new guide until 11 February.

Copyright © 2004, SecurityFocus logo

Related stories

Nuke watchdog issues cybergeddon alert
Five lose jobs over nuke lab security debacle
US nuclear lab suspends secret work
Homer Simpson let loose on US nuclear weapons facility

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?