Japan's Nuclear Crisis, Stuxnet and SCADA Defenses
Monday, March 21, 2011
The devastation in Japan caused by the recent earthquake and tsunami is truly heart wrenching, especially when one considers how millions of lives can be turned upside down in the matter of a few minutes.
In no way is this article intended to draw any attention away from the plight of the people now suffering in the earthquake's aftermath, as our concerns should be for them first and foremost.
With that caveat aside, I believe we can use the events that are unfolding in Japan as a learning opportunity regarding the possible consequences of a sophisticated Stuxnet-type attack against SCADA networks at a nuclear facility.
Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operational control for critical infrastructure and production networks, such as those used to operate a nuclear power plant.
Stuxnet-type viruses are uniquely dangerous because they are capable not only of affecting network computer systems, they can also cause actual physical damage to the equipment the networks control.
Specifically, Stuxnet damaged equipment at Iran's Natanz uranium enrichment facility, which reportedly set back the nation's nuclear program several years.
From what I understand of the current crisis in Japan, the problems at the nuclear facilities did not stem from the reactors themselves sustaining significant damaged in the earthquake.
Instead, the problem with the reactor cores over-heating was caused by a disruption to the power and water supplies that are needed for the cooling systems. The problem was compounded by the destruction of the backup generators for the cooling system pumps in the subsequent tsunami.
In the past, the majority of these systems are operated manually or by analog control systems like electro-mechanical relays, but that is changing.
A senior member of the technical staff at one of our nation's largest and most prestigious national research laboratories indicated that a significant number of the nuclear facilities in the U.S. have modernized the controls for those auxiliary systems, and are now employing Programmable Logic Controllers (PLCs).
According to the source, at least one facility specifically uses Siemens PLCs, the same type attacked by Stuxnet at Natanz in Iran.
If both the primary and redundant cooling components at that nuclear facility used PLCs and were hit with a Stuxnet-type attack that was able to cause physical damage to the equipment - we might witness events similar to those which are now playing out in Japan.
Granted, a Stuxnet-type attack would not also destroy roads and other infrastructure, or divert emergency response resources to other concerns. But, as far as the problems with cooling the reactor core, the challenges would be inherently similar.
I asked Richard Stiennon if he could provide some insight on this hypothetical scenario. Richard is the Chief Research Analyst and founder of IT-Harvest, an independent analyst firm that focuses on IT and network security.
Richard is also the author of the thought provoking book Surviving Cyber War, a holder of Gartner's Thought Leadership award, and was named "one of the 50 most powerful people in Networking" by NetworkWorld Magazine.
Stiennon confirms that a Stuxnet-type attack could theoretically cause reactor core cooling systems to be disrupted:
"Stuxnet targeted high speed rotating machinery controls, most probably the Uranium enrichment centrifuges in Iran. Both electricity generators and water pumps are examples of rotating machinery that are also controlled in industrial systems by PLCs (Programmable Logic Controllers). Communications with industrial control systems, often via SCADA, can be a vector for attack, or as in the case of Stuxnet, malware can be introduced directly by a bad actor. It is not hard to extrapolate that designer-malware could target these systems with the intent to shut them down and cause at the very least the emergency shut down of a nuclear power plant, at the worst, release of a radioactive plume and the permanent disabling of the reactor - as has happened in Japan," Stiennon replied via email.
Numerous experts have speculated that a major cyber attack on critical infrastructure would most likely not occur in isolation, but in conjunction with a conventional kinetic attack, which would present a situation even more similar to what we are witnessing in the aftermath the natural disaster that occurred in Japan.
But if a non-kinetic Stuxnet-like attack could in effect produce serious kinetic damage on the magnitude of disabling of a nuclear facility, or worse, the discharge of radioactive material and the potential for a core meltdown, the notion that such an attack would only occur in conjunction with a traditional military offensive seems to be less likely.
Recently, the International Society of Automation announced the formation of a task group to conduct a gap analysis on the ANSI standards governing SCADA security to evaluate how well organizations following the ISA99 standard would have responded to a Stuxnet-type attack.
While the ISA study will focus on network responses, perhaps other regulatory entities should begin to study what a successful post-Stuxnet attack environment could actually look like.
Evaluation of the challenges Japan is currently facing could provide valuable insight in the event there is ever a successful attack on SCADA systems controlling auxiliary systems at a nuclear facility.
"The one lesson to draw from the unfolding crisis is that risk planners have to expand worst case scenarios. While most nuclear power plants are not on faults (with the notable exception of Diablo Canyon in California) they are all subject to mechanical failures induced by malware introduced to their networks. Redundancy and fail safe measures cannot rely on power, computers, or networks. This applies to nuclear power plants as well as data centers, electrical grids, and communication systems," Stiennon concludes.
Comments
Post a Comment