[ISN] U.N. warns of nuclear cyber attack risk

InfoSec News isn at c4i.org
Tue Sep 28 05:13:39 EDT 2004


By Kevin Poulsen
Sept 27 2004 

The United Nations' nuclear watchdog agency warned Friday of growing
concern about cyber attacks against nuclear facilities.

The International Atomic Energy Agency (IAEA) announced in a statement
that it was developing new guidelines aimed at combating the danger of
computerized attacks by outside intruders or corrupt insiders. "For
example, software operated control systems in a nuclear facility could
be hacked or the software corrupted by staff with insider access," the
group said.

The IAEA's new guidelines on "Security of Information Technology
Related Equipment and Software Based Controls Against Malevolent Acts"  
are being finalized now, said the agency. The announcement came out of
the agency's 48th annual general conference attended by 137 nations.

Last year the Slammer worm penetrated a private computer network at
Ohio's idled Davis-Besse nuclear plant and disabled a safety
monitoring system for nearly five hours. The worm entered the plant
network through an interconnected contractor's network, bypassing
Davis-Besse's firewall.

News of the Davis-Besse incident prompted Rep. Edward Markey (D-MA)  
last fall to call for U.S. regulators to establish cyber security
requirements for the 103 nuclear reactors operating in the U.S.,
specifically requiring firewalls and up-to-date patching of security
vulnerabilities. By that time the U.S. Nuclear Regulatory Commission
(NRC) had already begun working on an official manual to guide plant
operators in evaluating their cybersecurity posture.

But that document, finalized this month, "is not directive in nature,"  
says Jim Davis, director of operations at the Nuclear Energy
Institute, an industry association. "It does not establish a minimum
level of security or anything like that. That isn't the purpose of the

A related industry effort will establish management-level cyber
security guidelines for plant operators, says Davis, who believes
industry efforts are sufficient. "I think we are taking it
seriously... and I think if the industry doesn't go far enough in this
area we'll see more attention from regulators."

Neither the NRC manual nor the industry guidelines will be made

Separately, the NRC is working on a substantial revision of its
regulatory guide, "Criteria for Use of Computers in Safety Systems of
Nuclear Power Plants," which sets security and reliability criteria
for installing new computerized safety systems in plants. It would
replace the current guide, written in 1996, which is three pages long.

A working draft of the NRC guide reviewed by SecurityFocus would
encourage plant operators to consider the effect of each new safety
system on the plant's cyber security, and to develop response plans to
deal with computer incidents. Additionally, it would urge vendors to
maintain a secure development environment, and to probe their products
for backdoors and logic bombs before shipping.

More information about the ISN mailing list