French nuke biz slapped in mystery cyberattack
Canada China North Korea oh, who knows
French nuclear power group Areva may have fallen victim to an operating system-level electronic attack, which was first detected in September.
Conflicting French media reports suggest hackers had access to Areva’s network as far back as two years (Slate France, here) or that the problem only affected "non-critical" data and systems (France Info, here). French business mag L’Expansion reports the hack affected Areva's operations outside France and blamed Asian (read Chinese or North Korean) hackers for the attack.
Local reports are consistent only in terms of talking about cyber-espionage, perhaps involving malware rather than some kind of terrifying Stuxnet-style nuclear kit sabotage caper.
Staff reportedly learned that all might not to be well with Areva systems in mid-September, following a weekend security upgrade that left some systems out of action for three days. The National Security Agency Information Systems (ANSSI) reportedly assisted the security upgrade.
We invited Areva to comment in the hopes of clarifying what happened, but had yet to hear back by the time of publication on Tuesday. ®
I know this point gets raised everytime something like this comes up
But I'm genuinely interested to know. What is the advantage to having critical systems like this connected to the internet? The disadvantages are frighteningly apparent, so what are the good reasons that lead to nuclear plants and other obvious targets being hooked up to the internet?
Did I miss something?
There does not seem to be any suggestion that "critical" systems were either infected or connected to the Internet.
As far as I can recall, no new reactors have been built in France for nearly 20 years, and at that time the internet was barely noticed.
The architecture of the approved control systems would not have included anything like Internet connectivity. If I recall correctly, the operator workstations were not even empowered to perform control actions and were limited to monitoring functions - there was no way that a computer that ran any sort of sophisticated graphics could meet the SIL rating required to be involved in control.
Over the intervening years there have almost certainly been some system upgrades, but the SIL aspect of computers has not improved so I would expect that the actual control is still performed by dedicated embedded computers using relatively primitive operating systems. That's not to say that they are automatically immune to network issues (if they are network connected) but your average computer virus or other malware would not get a foothold.
Whereas some Power Stations may use Siemens style PLCs to control them, Nuclear ones would not. They have to meet other regulations.
"no new reactors have been built in France for nearly 20 years..."
Try to lookup Civaux-1 & 2...
Beside, nuclear power plants are constantly upgraded, thanks god...