Tuesday, January 06, 2015

Blackhat, Nuclear Energy and Cyber Security

While many of us were home for the holidays we couldn't escape the movie trailer for Blackhat, a cyber crime thriller directed by Michael Mann starring Chris Hemsworth. Set to premiere in the U.S. on January 16, the trailer includes a cyber attack on a nuclear power plant in China.

We've dealt with the issue of cyber security with some frequency here at NEI Nuclear Notes. I'd refer our readers back to a post written by NEI's Bill Gross almost two years ago that outlined industry actions in this area to mitigate against the possibility of a cyber attack (emphasis mine).
By December 31, 2012, each U.S. nuclear power plant has:
  • Isolated key control systems using either air-gaps or robust hardware based isolation devices. As a result, the key safety, security, and power generation equipment at the plants are protected from any network based cyber attacks originating outside the plant.
  • Enhanced and implemented robust controls over the use of portable media and equipment. Where devices like thumb drives, CD’s, and laptops are used to interface with plant equipment, measures are in place to minimize the cyber threat. These measures include such actions as: minimizing the use of devices that are not maintained at the plant; virus scanning devices both before and after being connected to plant equipment; and, implementing additional measures where the source of the data or device originates outside the plant. As a result, the plants are well protected from attacks like Stuxnet, that propagated through the use of portable media.
  • Enhanced defenses against the insider threat. Training and insider mitigation programs have been enhanced to include cyber attributes. Individuals who work with digital plant equipment are subject to increased security screening, cyber security training, and behavioral observation.
  • Implemented cyber security controls to protect equipment deemed most essential for the protection of the public health and safety. While full implementation of cyber security controls for all digital equipment requiring protection will take some time, plants have prioritized the implementation to cover the assets most essential to the public health and safety.
  • Implemented measures to maintain the effectiveness of the implemented portions of the program. These measures include maintaining the equipment described above in the plant configuration management program, ensuring changes to the equipment are performed in a controlled way. A cyber security impact analysis is performed before making changes to the equipment. The effectiveness of implemented cyber security controls is periodically assessed, and enhancements made where necessary. Vulnerability assessments are performed to ensure the cyber security posture of the equipment is maintained.
Despite these procedures, continued vigilance is key, something that's equally true for both cyber and physical security. In the meantime, we'll be keeping an eye on this film and screening it when it comes to theaters in the U.S. next week.


jimwg said...

Excellent feature to set science/tech illiterate reporters straight with. Shoot some copies out to every media outlet and news site. Stuff like this shouldn't nearly be a closed secret to blogs like this!

James Greenidge
Queens NY

Paul Deeds said...

From what I could see in the movie trailer, the producers confused the cooling tower which cools the non-radioactive turbine cooling water from the reactor containment building which houses the reactor and where the radioactivity and contamination are located. Further, how a cyber attack could damage a cooling tower as shown in the trailer, is beyond me.