Feeds

Nuclear cyber security debate hots up

US regulations 'premature', says supplier

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Two companies that make digital systems for nuclear power plants have come out against a government proposal that would attach cyber security standards to plant safety systems.

The 15-page proposal, introduced last December by the US Nuclear Regulatory Commission (NRC), would rewrite the commission's "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants." The current version, written in 1996, is three pages long and makes no mention of security.

The plan expands existing reliability requirements for digital safety systems, and infuses security standards into every stage of a system's lifecycle, from drawing board to retirement. Last month the NRC extended a public comment period on the proposal until 14 March to give plant operators and vendors more time to respond.

So far, industry reaction has been less than glowing. Capri Technology, a small California firm that builds specialized systems and software for nuclear plants, calls the regulations "premature", and says the proposal could deter plant operators from installing new digital safety systems entirely.

"The NRC tries to promote the use of digital technology in the nuclear power industry on the one hand, but then over-prescribes what is needed when a digital safety system is proposed," wrote company president William Petrick, in comments filed with the commission. An industry veteran, Petrick advocates withdrawing the proposal until the NRC and industry experts can agree on a more effective cyber security strategy.

Framatone, a French company that develops and builds plants from the ground up, had a similar response. The company argued in its comments that the NRC is painting with too broad a brush - for example, by applying the same security standards to software running on a general purpose computer, and to firmware embedded in a chip.

Cyber security "is sufficiently important and complex to merit a more considered set of guidance," Framatone argued. "A significant joint effort should be undertaken to publish comprehensive cyber security guidance that covers present and planned uses of software in nuclear plants."

Until then, "the entire cyber security section should be deleted and only a passing reference to the subject retained," the company wrote.

International concern

Last year the United Nations' International Atomic Energy Agency (IAEA) warned of growing international concern about the potential for cyber attacks against nuclear facilities, and said it was finalizing new security guidelines of its own. No successful targeted attacks against plants have been publicly reported, but in 2003 the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall.

The NRC draft advises against such interconnections. It also urges vendors to add additional security to their software development process, as a bulwark against saboteurs writing backdoors into the code, or implanting logic bombs programmed to shut down a safety system at a particular time.

But securing the software from its own developers "would not be practical to implement", according to comments filed by Virginia-based energy company Dominion, one of two plant operators who chimed in on the proposal. "Access of the programmer to the software is a matter of trust."

Dominion also takes exception to NRC's preference against interconnection. "Remote access to safety system data from outside the physical plant is not necessarily a potential vulnerability," the company wrote. "Access to data through one-way or fixed function gateways should be allowed, assuming proper verification of the integrity of the gateway is verified."

Dominion operates the Millstone nuclear plant in Connecticut, and two plants in Virginia.

Nebraska's Omaha Public Power District (OPPD), which operates the Fort Calhoun nuclear plant, took issue with the proposal's emphasis on technological access control solutions. Obliging plant operators to protect systems with a combination of passwords, smart cards and biometrics could create more problems than it solves, the company wrote.

"Requiring additional security features could compromise the integrity of the safety system itself," wrote the company. "It is OPPD's position that a Safety System Security Plan that includes network security and has well-defined roles and responsibilities of the staff organization is more beneficial than adding unnecessary complexity to the safety system."

Though they suggested changes, neither utility opposed the plan entirely. If the measure is approved, adherence to the new guidelines would be strictly voluntary for operators of the 103 nuclear reactors already running in the US.

Copyright © 2004, SecurityFocus logo

Related stories

US to tighten nuclear cyber security
Nuke watchdog issues cybergeddon alert
Five lose jobs over nuke lab security debacle

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.